Re: Homebrew Snort Reactive/Unified2 output

[Korodev <korodev () gmail com>]

> It is my opinion that you are better off spooling off of U2 files.  Given
> what you describe, you would not be reacting in real-time anyway and packets
> have already made it through, regardless of reacting using an output plugin
> or spooling off of U2 files.  The obvious benefit of spooling off of U2
> files is that it's snort version independent and does not require you to
> patch / maintain changes to the snort source every time a new version comes
> out.
>
> Just my .02
> JJC


Thanks for your input. I'm thinking spooling off U2 files in the end
will probably be the best solution, but I would like to experiment
with the output plugin. However, the common polling approach when
dealing with the U2 files won't work very well to achieve the desired
goals, so I'll have to implement some sort of async solution using
kqueue or something similar in FreeBSD.

\\korodev

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users