[Snort-users] what's the difference between alert_fast and alert_unified?

Patrick Harper patrick at ...4250...
Fri Oct 21 18:39:35 EDT 2005

Yes, with barnyard 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of zhaohui yin
Sent: Friday, October 21, 2005 8:32 PM
To: Matt Kettler
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] what's the difference between alert_fast and


I am use snort output to mysql ,  use unified output can transfer to
mysql input?

On 10/21/05, Matt Kettler <mkettler at ...4108...> wrote:
> zhaohui yin wrote:
> > Hi all:
> >     I am confused the snort option about alert_fast /alert_unified,
> > and want to known in which mode ,snort will run fastest.
> unified is faster than alert_fast. "alert_fast" is a text-mode log for
> and while it's fast for text mode, and much faster than alert_full, it's
still a
> text log.
> However, alert_unified is a binary format and you need to use barnyard to
> post-process the alerts into readable text. The unified binary format lets
> dump the alerts to disk with an absolute minimum amount of overhead, as it
> doesn't need to look up the alert descriptions, etc when logging.
> >    I run snort with -b -A fast option, any suggestion?
> By using -b you're already getting some speed benefit, as your packet log
> binary. Unified would extend this and make both your packet and your alert
> binary.


This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list