[Snort-devel] Re: [Snort-users] Announce: FLoP-1.0 --- Fast Logging Project for snort

Bamm Visscher bamm at ...101...
Mon Dec 1 09:49:08 EST 2003


Dirk,

I hope you don't think I was attacking flop. I actually want to take a close look at what you've done and also talk to you about supporting sguil (http://sguil.sf.net) and its DB schema. My only intent was to start a discussion of the main disadvantage of using the unix socket plugin with snort: that if for any reason, the process reading the unix socket dies, any alerts that snort writes while the proc is down, is gone for ever. In short, by using the unix socket, you've added another potential point of failure to your IDS. Please understand, that I believe that risk is fairly low (at least for a well written/tested program), but there are those that may not be willing to accept that risk, just like there are those that won't entertain the idea of an inline IDS (versus passive monitoring) for the sole reason a inline IDS brings another point of failure into the network. 

Now that that is said, can you answer a couple of questions (why RTFM when I have your ear ;) ).



More information about the Snort-devel mailing list