[Snort-devel] spo_database vs prelude and other output plugins

Martin Olsson elof at ...969...
Wed Jan 25 04:11:02 EST 2006


I got two recommendations not to use spo_database...

Dirk Geschke wrote:
BTW: I would not use the database output plugin, use something
which is decoupled. If the database hungs or gets restarted you
will run into big problems...

Eric Lauzon wrote:
I dont know about your setup but from experience , i would tell you to
stay away from spo_database.c , as logging to a DBMS is a blocking call
and as a drawback if your database has some performance issue or if your
monitored network interface receive a burst of packets you might have some
drops, even with buffered lib pcap this issue may happen.



What alternative should one use today? I have ~50 sensors in different
countries. I need a nice frontend that can serve all sensors.

Prelude seem to be the best choice from a redundant point of view. Any
drawbacks with prelude compared to other output plugins?

/Martin





More information about the Snort-devel mailing list