Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort output redirection buffered

From: Chris Green <cmg () sourcefire com>
Date: Mon, 19 May 2003 14:25:55 -0400
JP Vossen <vossenjp () netaxs com> writes:


It seems like Snort output is buffered quite a bit.  When running version
2.0.0 (Build 72) on Red Hat 8.0 2.4.18-27.8.0 as follows, the traffic is very
bursty:
      snort -vdCqi eth1 udp port 514 | SomeScript.pl
      snort -vdCqi eth1 udp port 514 | tee somefile

It seems like there is a buffer of between about 1500 - 2000 bytes.  Does that
make sense or is there someone else I'm missing?  Any way to turn it off w/o
patching the source?  


Nope.


If no, how hard would it be to patch the source (assume I know
almost nothing about C :-)?


Add a fflush(stdout) to snort.c

    case MODE_PACKET_LOG:
            CallLogPlugins(&p, NULL, NULL, NULL);
            fflush(stdout);
-- 
Chris Green <cmg () sourcefire com>
Chicken's thinkin'


-------------------------------------------------------
This SF.net email is sponsored by: If flattening out C++ or Java
code to make your application fit in a relational database is painful, 
don't do it! Check out ObjectStore. Now part of Progress Software.
http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: