[Snort-devel] New alert logging mode wanted
agent33 at ...269...
Wed Nov 21 06:50:11 EST 2001
> Hi Martin,
> This type of logging/alerting method would be rather slow.
> Logging data
> in an ASCII format is already kind of pokey (meaning slower
> than logging
> in binary format). Having to log that data twice in
> different locations
> on the drive would slow things down even more. This would be bad
> because Snort should spend it's time analyzing packets, not writing
> _duplicate_ log data to disk.
Agreed. I would also suggest playing with barnyard. It allows snort to
concentrate on analyasis and just spool out a fast binary log file.
Barnyard then crunches the logfile and ca output to database, CSV, text,
pcap, and even a new HTML log file type. Since it is still in the early
development phase, and has a very modular output plugin design, new and
different output types could easily be added.
More information about the Snort-devel