Re: Spool Processors

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi Gary,

> I am considering using the unified logging output plugin for snort with a 
> spool processor to dump the alerts/logs to MySQL.  As I see it I have 3 
> options: Barnyard, Mudpit and Flop.  Flop is out since I don't believe it 
> actually reads unified logs, but more importantly it can't support more 
> than one snort instance per machine, according to the documentation. 

yes FLoP only allows one snort process for a remote sensor. But
why do you want to run more instances? In my eyes it does not make
any sense at all. 

If the traffic is to high for one snort process then you should
think about a second machine. The overhead of running two instances
of snort on one machine is much too high. If you have several network
cards in several networks then you should really think of installing
several boxes each running one snort process. 

One advantage of FLoP is that you don't need to worry about disk
space on the sensor running snort...

Best regards

Dirk



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users