[Snort-users] Alerting unified or (fast) ASCII?
mkettler at ...4108...
Wed Oct 20 08:35:44 EDT 2004
At 09:50 AM 10/20/2004, Edin Dizdarevic wrote:
>can anyone give me a hint, what kind of alerting in terms of performance
>is to prefer:
>- Unified alerting w. by
>- ASCII alerting in fast mode (-A fast)
>My assumption is that it should not really matter or advantage to the
Unified will allow snort to handle a significantly larger load, as most of
the data is written out in the raw binary format it appears in the IP
packet. ASCII mode logging reuqires some additional translation.
>After all a second by instance for alerting
>(besides logging) is needed.
Ahhh, but here's where you're missing something. The fact that barnyard is
used does not speed up long it takes to get alerts written into a textual
format. However, it removes the ascii conversion from snort's time-critical
packet capture process. This greatly reduces packet drop rate.
The overall CPU consumption is the same, but the time-critical path is much
shorter in the unified/barnyard case.
More information about the Snort-users