Re: Alerting unified or (fast) ASCII?

[Matt Kettler <mkettler () evi-inc com>]

At 09:50 AM 10/20/2004, Edin Dizdarevic wrote:
> can anyone give me a hint, what kind of alerting in terms of performance
> is to prefer:
>
> - Unified alerting w. by
> - ASCII alerting in fast mode (-A fast)
>
> My assumption is that it should not really matter or advantage to the
> ASCII-Mode respectievely.

Unified will allow snort to handle a significantly larger load, as most of 
the data is written out in the raw binary format it appears in the IP 
packet. ASCII mode logging reuqires some additional translation.

> After all a second by instance for alerting
> (besides logging) is needed.

Ahhh, but here's where you're missing something. The fact that barnyard is 
used does not speed up long it takes to get alerts written into a textual 
format. However, it removes the ascii conversion from snort's time-critical 
packet capture process. This greatly reduces packet drop rate.

The overall CPU consumption is the same, but the time-critical path is much 
shorter in the unified/barnyard case.




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users