[Snort-users] New version of FLoP: 1.0.6
Dirk at ...10648...
Tue Dec 16 14:15:01 EST 2003
I just released a new development version of FLoP, the Fast Logging
Project for snort.
The changes are:
+ A swap file feature for each remote sensor is added: If the database
dies, get killed or is stopped all INSERT's will fail. Therefore all
connections to remote sensors are closed and the buffered alerts are
written to swap files (for each sensor one file).
+ If the remote sensors try to connect again and the database is still
gone: The connection is refused with an appropiate error message so
that the remote processes can decide what to do.
+ If the database is available again: First a check for the presence
of a swap file is done. If such a file exists all alerts are read
in and were buffered in memory. Then the normal process starts up.
+ If a SIGHUP/SIGINT/SIGTERM is received all connections are closed
and the buffered alerts are written to the swap files. If this fails
there is still the DROP feature available as a last possibility to
save some informations.
+ This is only done on the central server, the remote sensors still
have to buffer all alerts in memory.
+ Finally some minor bugs are fixed related to solaris systems. Solaris
seems to have two different versions of (p)threads...
All these changes are still experimental, they work well on my computers
but are not tested in the wild. (Who likes to kill a running database to
test all these features?)
You can still find all this at:
Note: The documentation is not updated, it is still for version 1.0,
the same counts for the linux binaries. These binaries are linked
against the glibc version 2.3 (Am I the only one who believes that
the glibc is still in beta stadium? All new versions have some very
Please: Download the sources, install them, test them and give me some
kind of feedback, especially if you find bugs.
And of course: Some comments are appreciated.
More information about the Snort-users