[Snort-users] Snort output redirection buffered
cmg at ...1935...
Mon May 19 11:26:29 EDT 2003
JP Vossen <vossenjp at ...8683...> writes:
> It seems like Snort output is buffered quite a bit. When running version
> 2.0.0 (Build 72) on Red Hat 8.0 2.4.18-27.8.0 as follows, the traffic is very
> snort -vdCqi eth1 udp port 514 | SomeScript.pl
> snort -vdCqi eth1 udp port 514 | tee somefile
> It seems like there is a buffer of between about 1500 - 2000 bytes. Does that
> make sense or is there someone else I'm missing? Any way to turn it off w/o
> patching the source?
> If no, how hard would it be to patch the source (assume I know
> almost nothing about C :-)?
Add a fflush(stdout) to snort.c
CallLogPlugins(&p, NULL, NULL, NULL);
Chris Green <cmg at ...1935...>
More information about the Snort-users