Snort mailing list archives

snort-1.8.7 and alert file

From: <bthaler () webstream net>
Date: Tue, 30 Jul 2002 09:59:01 -0400

Well, this is driving me nuts.

Snort-1.8.7 on OBSD-3.1, blah blah blah.

I'm pumping about 45Mbit thru Snort, and I'm getting unacceptable packet loss. Here's what I tried:
ASCII logging = ~40% packet loss
MySQL logging = ~36% packet loss (better, but still bad)

Now, I'm using barnyard. I had tried it before, but it wasn't really good back then. Now it seems to be working fine.
The only
problem is that I'm still getting about 20% packet loss. Yes, I've trimmed my rules WAY down. I'm not going to tell
the lurking
kiddies which rule subsets I'm using, but they're pretty much tuned as far as they can be.

Anyway, I was doing a little file maintenance on the snort sensor box, and I noticed that even though Snort is using
the spo_unified
output plug-in, it's still writing that damn alert file. Forgive me if this is a dumb question, but what's the point of
spo_unified's super-efficient logging, and Barnyard's external logfile parsing, if snort still has to write the alert
file to the
disk?

I've checked the faq's and readme's, and couldn't find a thing. A search through my archives of the list turns up a
few messages
indicating that writing of the alert file will be suspended if the syslog output plug-in is used, but that's no use to
me. I need
to either write directly to a database, in which case the alert file is written, or write to the unified log and let
Barnyard write
to the database, in which case it seems that the alert file is still written.

Is there any for me to disable the writing of this file? I'm sure it would do wonders for my packet loss problem.

Regards,
Brad T.

-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort-1.8.7 and alert file bthaler (Jul 30)
- Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
  - Re: snort-1.8.7 and alert file bthaler (Jul 30)
    - Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
    - Re: snort-1.8.7 and alert file bthaler (Jul 30)
    - Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
    - Re: snort-1.8.7 and alert file Andrew R. Baker (Jul 30)
    - Re: snort-1.8.7 and alert file bthaler (Jul 30)
    - Re: snort-1.8.7 and alert file Scott Nursten (Jul 30)
    - Re: snort-1.8.7 and alert file Michael Scheidell (Aug 02)
    - Re: snort-1.8.7 and alert file Andreas Hasenack (Aug 02)

(Thread continues...)