Re: Homebrew Snort Reactive/Unified2 output

[Korodev <korodev () gmail com>]

> > > The absolute fastest place to fire a response post-detection would be
> > > an output plugin.  There's no need to hook the U2 output plugin or
> > > write an output module for BY2, depending on a number of factors
> > > you're not going to get the absolute fastest activation time for your
> > > code from the point of detection.

In follow up to this discussion, I've started working on my output
plugin and had a few questions in regards to what happens to alert
data between inspection about output processing. In short, I plan on
running dual output plugins (custom and unified2) and am interested to
know what kind of effects to watch for if my custom output plugin is
to slow. What happens if an event is sent to the output plugin, but
the output plugin hasn't finished processing the previous event. Is
there a queueing mechanism implemented here that will lead to a memory
usage spike? Just trying to figure out what sort of things to watch
for in my testing.

\\korodev

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users