[Snort-devel] New version of FLoP: 1.0.6

Dirk Geschke Dirk at ...972...
Tue Dec 16 14:15:04 EST 2003


Hi all,

I just released a new development version of FLoP, the Fast Logging
Project for snort.

The changes are:

+ A swap file feature for each remote sensor is added: If the database
  dies, get killed or is stopped all INSERT's will fail. Therefore all
  connections to remote sensors are closed and the buffered alerts are
  written to swap files (for each sensor one file).

+ If the remote sensors try to connect again and the database is still
  gone: The connection is refused with an appropiate error message so
  that the remote processes can decide what to do.

+ If the database is available again: First a check for the presence 
  of a swap file is done. If such a file exists all alerts are read 
  in and were buffered in memory. Then the normal process starts up.

+ If a SIGHUP/SIGINT/SIGTERM is received all connections are closed
  and the buffered alerts are written to the swap files. If this fails
  there is still the DROP feature available as a last possibility to
  save some informations.

+ This is only done on the central server, the remote sensors still
  have to buffer all alerts in memory.

+ Finally some minor bugs are fixed related to solaris systems. Solaris
  seems to have two different versions of (p)threads...

All these changes are still experimental, they work well on my computers
but are not tested in the wild. (Who likes to kill a running database to
test all these features?)

You can still find all this at:

  http://www.geschke-online.de/FLoP

Note: The documentation is not updated, it is still for version 1.0,
the same counts for the linux binaries. These binaries are linked
against the glibc version 2.3 (Am I the only one who believes that
the glibc is still in beta stadium? All new versions have some very
strange behaviours...)

Please: Download the sources, install them, test them and give me some
kind of feedback, especially if you find bugs.

And of course: Some comments are appreciated.

Best regards

Dirk Geschke





More information about the Snort-devel mailing list