[Snort-users] snort-1.8.7 and alert file

bthaler at ...2720... bthaler at ...2720...
Tue Jul 30 07:00:04 EDT 2002


Well, this is driving me nuts.

Snort-1.8.7 on OBSD-3.1, blah blah blah.

I'm pumping about 45Mbit thru Snort, and I'm getting unacceptable packet loss.  Here's what I tried:
ASCII logging = ~40% packet loss
MySQL logging = ~36% packet loss (better, but still bad)

Now, I'm using barnyard.  I had tried it before, but it wasn't really good back then.  Now it seems to be working fine.  The only
problem is that I'm still getting about 20% packet loss.  Yes, I've trimmed my rules WAY down.  I'm not going to tell the lurking
kiddies which rule subsets I'm using, but they're pretty much tuned as far as they can be.

Anyway, I was doing a little file maintenance on the snort sensor box, and I noticed that even though Snort is using the spo_unified
output plug-in, it's still writing that damn alert file.  Forgive me if this is a dumb question, but what's the point of
spo_unified's super-efficient logging, and Barnyard's external logfile parsing, if snort still has to write the alert file to the
disk?

I've checked the faq's and readme's, and couldn't find a thing.  A search through my archives of the list turns up a few messages
indicating that writing of the alert file will be suspended if the syslog output plug-in is used, but that's no use to me.  I need
to either write directly to a database, in which case the alert file is written, or write to the unified log and let Barnyard write
to the database, in which case it seems that the alert file is still written.

Is there any for me to disable the writing of this file?  I'm sure it would do wonders for my packet loss problem.






Regards,
Brad T.





More information about the Snort-users mailing list