No subject

Thu Nov 23 16:31:58 EST 2017

Anyway, the project definately looks cool and I am glad see there is a real alternative to unified out and barnyard out there. 


On Mon, Dec 01, 2003 at 10:13:13AM +0100, Dirk Geschke wrote:
> Hi Bamm,
> the only real problem I found is indeed if no process is reading
> from the unix socket. The FLoP approach won't ever block during
> a read process as long as the process (sockserv on the sensor
> side) is running. The program is threaded, one thread only reads
> the data from the socket and stores them in memory. A second
> thread waits simply for this data and forwards them to the
> central server.
> So the only real problem is if the process sockserv is not
> running. (But if you restart snort or snort is not running
> you have the same problem of missing alerts...)
> Further the output plugin of snort can recognize this problem.
> So snort won't hang on this problem but for now the alerts
> are lost. In principal it is no problem to write these alerts
> to the disk or forward them to syslog. You only need to code
> it... 
> Actually snorts prints an ErrorMessage if no process is
> listening on the unix socket. Here you can plugin another
> output solution. But then you have to take care how to handle
> these alerts. Compared with the probability that this may 
> happen I simply ignored this problem up to now. 
> So simply test it and tell me if this is really a problem. Then
> we can think about how to solve it. But I guess that the effort
> to code this and survey the problem is too high in contrast to
> the probability that this scenario happens.
> Best regards
> Dirk

More information about the Snort-devel mailing list