[Snort-users] Upgrading from Snort v2.3.2 to 2.8.3.1

Joel Esler eslerj at ...11827...
Tue Dec 9 22:06:41 EST 2008


On Dec 9, 2008, at 9:59 PM, Ian Masters allegedly wrote:

>> Ian, I suggest that you output to unified.  Then use a third party  
>> tool,
>> like Barnyard or SnortUnified.pm to parse the Unified file and insert
>> into the db.  Inserting into the DB directly from Snort, is bad.
>
> Can you tell me why it is "bad"? That is the way our system was set  
> up a
> few years ago. There haven't been any problems that I'm aware of.
>
> If it would be better to do as you suggest, I'll need to do that on a
> test system first.
>
> That might take quite some time.

Snort is single threaded.  You want it to output as fast as possible  
to reduce packet processing latency.  (Unified is fastest).  By having  
Snort do direct database inserts, Snort has to "stop" being an IDS,  
and do an INSERT on the table.  It's not a big problem by itself, but  
if you are alot of inserts at the same time, you will drop packets.

J





More information about the Snort-users mailing list