[Snort-users] Snort output redirection buffered

Chris Green cmg at ...1935...
Mon May 19 11:26:29 EDT 2003


JP Vossen <vossenjp at ...8683...> writes:

> It seems like Snort output is buffered quite a bit.  When running version
> 2.0.0 (Build 72) on Red Hat 8.0 2.4.18-27.8.0 as follows, the traffic is very
> bursty:
> 	snort -vdCqi eth1 udp port 514 | SomeScript.pl
> 	snort -vdCqi eth1 udp port 514 | tee somefile
>
> It seems like there is a buffer of between about 1500 - 2000 bytes.  Does that
> make sense or is there someone else I'm missing?  Any way to turn it off w/o
> patching the source?  

Nope.

> If no, how hard would it be to patch the source (assume I know
> almost nothing about C :-)?

Add a fflush(stdout) to snort.c

    case MODE_PACKET_LOG:
            CallLogPlugins(&p, NULL, NULL, NULL);
            fflush(stdout);
-- 
Chris Green <cmg at ...1935...>
Chicken's thinkin'




More information about the Snort-users mailing list