[Snort-users] Spool Processors

Dirk Geschke Dirk_Geschke at ...1344...
Thu Apr 1 08:44:10 EST 2004


Hi Gary,

> I am considering using the unified logging output plugin for snort with a 
> spool processor to dump the alerts/logs to MySQL.  As I see it I have 3 
> options: Barnyard, Mudpit and Flop.  Flop is out since I don't believe it 
> actually reads unified logs, but more importantly it can't support more 
> than one snort instance per machine, according to the documentation. 

yes FLoP only allows one snort process for a remote sensor. But
why do you want to run more instances? In my eyes it does not make
any sense at all. 

If the traffic is to high for one snort process then you should
think about a second machine. The overhead of running two instances
of snort on one machine is much too high. If you have several network
cards in several networks then you should really think of installing
several boxes each running one snort process. 

One advantage of FLoP is that you don't need to worry about disk
space on the sensor running snort...

Best regards

Dirk





More information about the Snort-users mailing list