[Snort-devel] New alert logging mode wanted

Steve Halligan agent33 at ...269...
Wed Nov 21 06:50:11 EST 2001


> Hi Martin,
> 
> This type of logging/alerting method would be rather slow.  
> Logging data
> in an ASCII format is already kind of pokey (meaning slower 
> than logging
> in binary format).  Having to log that data twice in 
> different locations
> on the drive would slow things down even more.  This would be bad
> because Snort should spend it's time analyzing packets, not writing
> _duplicate_ log data to disk.
> 

Agreed.  I would also suggest playing with barnyard.  It allows snort to
concentrate on analyasis and just spool out a fast binary log file.
Barnyard then crunches the logfile and ca output to database, CSV, text,
pcap, and even a new HTML log file type.  Since it is still in the early
development phase, and has a very modular output plugin design, new and
different output types could easily be added.

-Steve




More information about the Snort-devel mailing list