Snort mailing list archives
Re: Alerting unified or (fast) ASCII?
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 20 Oct 2004 11:31:13 -0400
At 09:50 AM 10/20/2004, Edin Dizdarevic wrote:
can anyone give me a hint, what kind of alerting in terms of performance is to prefer: - Unified alerting w. by - ASCII alerting in fast mode (-A fast) My assumption is that it should not really matter or advantage to the ASCII-Mode respectievely.
Unified will allow snort to handle a significantly larger load, as most of the data is written out in the raw binary format it appears in the IP packet. ASCII mode logging reuqires some additional translation.
After all a second by instance for alerting (besides logging) is needed.
Ahhh, but here's where you're missing something. The fact that barnyard is used does not speed up long it takes to get alerts written into a textual format. However, it removes the ascii conversion from snort's time-critical packet capture process. This greatly reduces packet drop rate.
The overall CPU consumption is the same, but the time-critical path is much shorter in the unified/barnyard case.
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerting unified or (fast) ASCII? Edin Dizdarevic (Oct 20)
- Re: Alerting unified or (fast) ASCII? Matt Kettler (Oct 20)
- Re: Alerting unified or (fast) ASCII? Edin Dizdarevic (Oct 20)
- Re: Alerting unified or (fast) ASCII? Matt Kettler (Oct 20)
- Re: Alerting unified or (fast) ASCII? Edin Dizdarevic (Oct 20)
- Re: Alerting unified or (fast) ASCII? Matt Kettler (Oct 20)