[Snort-users] data from multiple sessions in one alert/packet

Jon Hart jhart at ...8039...
Thu May 18 15:12:08 EDT 2006


On Thu, May 18, 2006 at 02:07:08PM -0400, Joel Esler wrote:
> Jon,
> 
> What type of output module are you using?
> 
> Joel

I'm using the database output plugin.  I know that can be a problem
under high load, right?  Is that high alert load or just high pps load
in general?  My signatures are fairly tight so we get maybe 10-20
hits/hour, though occassionally we'll get a peak when someone scans us
for something.

I had been using barnyard, but dumped it while attempting to debug
another problem.  If barnyard will help here, I'll do that again.

-jon




More information about the Snort-users mailing list