[Snort-users] Alerting unified or (fast) ASCII?

Matt Kettler mkettler at ...4108...
Wed Oct 20 08:35:44 EDT 2004

At 09:50 AM 10/20/2004, Edin Dizdarevic wrote:
>can anyone give me a hint, what kind of alerting in terms of performance
>is to prefer:
>- Unified alerting w. by
>- ASCII alerting in fast mode (-A fast)
>My assumption is that it should not really matter or advantage to the
>ASCII-Mode respectievely.

Unified will allow snort to handle a significantly larger load, as most of 
the data is written out in the raw binary format it appears in the IP 
packet. ASCII mode logging reuqires some additional translation.

>After all a second by instance for alerting
>(besides logging) is needed.

Ahhh, but here's where you're missing something. The fact that barnyard is 
used does not speed up long it takes to get alerts written into a textual 
format. However, it removes the ascii conversion from snort's time-critical 
packet capture process. This greatly reduces packet drop rate.

The overall CPU consumption is the same, but the time-critical path is much 
shorter in the unified/barnyard case.

