Re: Homebrew Snort Reactive/Unified2 output

[Martin Holste <mcholste () gmail com>]

I suppose the syslog plugin would be better to read from because you
could have it log to a (local) network destination, which would
eliminate the 4-8 ms of disk access time for a unified write/read.
That's probably preferable, because most of the unified readers have a
polling mechanism to check for new entries; they are not async and so
you may be getting the new entries up to a second or two late.

Could a custom plugin be faster than the syslog plugin?  It's so
simple that I'm not sure there's much to strip out.

On Wed, Mar 30, 2011 at 11:07 PM, beenph <beenph () gmail com> wrote:
> What about writing a custom output pluggin ...rather than writing
> something that will parse unified2?
>
> -elz
>
>
>
> On Wed, Mar 30, 2011 at 6:56 PM, Korodev <korodev () gmail com> wrote:
> > > Why is speed a factor?  Are you trying to issue RST packets or issue
> > > firewall blocks/ACL rules?  If you want to kill an active connection,
> > > I don't think anything reading Snort's output will be reliably fast
> > > enough unless the connection is a rather large file download.  If
> > > you're not trying to kill the connection, then a few milliseconds
> > > difference between having a script do the reading and having something
> > > more built-in do the reading won't matter, and you should go with the
> > > ease-of-use of the script.
> >
> > Thanks for the link Martin. Speed is a factor because I would like to
> > be able to issue a firewall rule that could be a pipe divert, delay
> > queue, block, or something similar. With my current piping/delay
> > setup, I can afford ~15ms of time.
> >
> > \\korodev
> >
> > ------------------------------------------------------------------------------
> > Create and publish websites with WebMatrix
> > Use the most popular FREE web apps or write code yourself;
> > WebMatrix provides all the features you need to develop and
> > publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users