[Snort-devel] Re: [Snort-users] Announce: FLoP-1.0 --- Fast Logging Project for snort

Jason Ish jason at ...341...
Wed Dec 3 08:45:03 EST 2003


<snip>

> The idea of the project is to decouple the output from the snort
> sniffing process. The alerts together with the payload are written
> via an unix domain socket to a threaded process called sockserv.

<snip>

> Since we are using unix domain sockets to communicate between
> the processes - which do not block - this communication is quite
> fast and we have no blocking processes.

Would it not make sense to make use of the unified output plugins?
They don't block either and then your application could read from the
output files and forward data to the server.  If your remote server
goes down you can just stop reading and let the alerts buffer up in
the files until your server is available again.  I've done exactly
this for a commercial application and it works very well.

I know this resembles what Barnyard does, but barnyard wasn't useful
in our application.

I guess this wouldn't work if the unified output doesn't contain all
the data you are after.





More information about the Snort-devel mailing list