[Snort-devel] Snort-snmp

Glenn Mansfield Keeni glenn at ...1085...
Thu Dec 18 02:26:02 EST 2003


Chris Green wrote:

> Glenn Mansfield Keeni <glenn at ...1085...> writes:
> 
> 
>>Do we want the alerting mechanism and snort trap/inform mechanism to have
>>the same throttle.
>>
>>The trap/inform is a much heavier task compared to other alerting mechanisms-
>>with that in mind we set the threshold for traps/informs much lowrer than
>>that for alerts.
> 
> 
> I think it's roughly equivalent to mysql output in processing power
> required.
> 
> Almost every time I've seen output alerting to multiple output plugins
> at once, it's to work around some deficiency in an output plugin so I
> don't see why we can't force them all to have the same threshold
> limits.
> 
> To add a specific rate limit, a output type parameter should be added
> to the rate limiting code

Agreed. That is the way it should be done. My ignorance - I wasn't aware
of the rate limiting code.

Thanks and Cheers

       Glenn






More information about the Snort-devel mailing list