[Snort-users] File locking in 1.7

Michael Davis mike at ...92...
Sat Mar 3 21:23:48 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Am I missing something with the event log functionality?  I didn't
> see it as a viable method for large logs.

I like the event logging because there are many other utilities to
analyze the event log and generate alert reponses(i.e send you a page
or an email etc).

You can also you the remote syslog facility and log things to a
remote syslog server.
 
> > The file locking is a Windows problem not a snort problem.
> How is that, when 1.6.3 did not lock the logs?  Not saying you're
> wrong, just wondering about the technical details.  :)

1.6.3 opened and closed the alert file every time an alert was
generated. This is a waste of resources and time. In 1.7 the alert
file is opened once and a file descriptor is passed around. Less time
and resources are wasted. Win32 locks files from being read if they
are in use by another program. The only way to combat this is by
copying the file and then reading it.

Hope that helps ;)

Michael Davis
Chief Technical Officer
Data Nerds, LLC.
http://www.datanerds.net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOqGnM/iUqZ9dnoKsEQIQMACg5APO5kBqsbRR8KfoKLyJ4QxhM0oAnRKp
kRu1YE23IiqkvD77VWsiMBtd
=IXJz
-----END PGP SIGNATURE-----






More information about the Snort-users mailing list