[Snort-devel] spo_database vs prelude and other output plugins
elof at ...969...
Wed Jan 25 04:11:02 EST 2006
I got two recommendations not to use spo_database...
Dirk Geschke wrote:
BTW: I would not use the database output plugin, use something
which is decoupled. If the database hungs or gets restarted you
will run into big problems...
Eric Lauzon wrote:
I dont know about your setup but from experience , i would tell you to
stay away from spo_database.c , as logging to a DBMS is a blocking call
and as a drawback if your database has some performance issue or if your
monitored network interface receive a burst of packets you might have some
drops, even with buffered lib pcap this issue may happen.
What alternative should one use today? I have ~50 sensors in different
countries. I need a nice frontend that can serve all sensors.
Prelude seem to be the best choice from a redundant point of view. Any
drawbacks with prelude compared to other output plugins?
More information about the Snort-devel