[Snort-users] Homebrew Snort Reactive/Unified2 output

JJC cummingsj at ...11827...
Thu Apr 7 10:26:11 EDT 2011


It is my opinion that you are better off spooling off of U2 files.  Given
what you describe, you would not be reacting in real-time anyway and packets
have already made it through, regardless of reacting using an output plugin
or spooling off of U2 files.  The obvious benefit of spooling off of U2
files is that it's snort version independent and does not require you to
patch / maintain changes to the snort source every time a new version comes
out.

Just my .02
JJC

On Thu, Apr 7, 2011 at 8:12 AM, beenph <beenph at ...11827...> wrote:

> Since snort is somehow a pipeline in its current implementation, if you
> block
> on output plugging
> (this is why its recommended not to use db output pluggin straight
> from snort because in some cases a database write could block for xyz
> reason)
>
> Then you will halt packet processing and this could lead to packet drops.
>
> The faster you process the faster snort can go back and do its job.
>
>
>
> On Thu, Apr 7, 2011 at 9:59 AM, Korodev <korodev at ...11827...> wrote:
> >>>> The absolute fastest place to fire a response post-detection would be
> >>>> an output plugin.  There's no need to hook the U2 output plugin or
> >>>> write an output module for BY2, depending on a number of factors
> >>>> you're not going to get the absolute fastest activation time for your
> >>>> code from the point of detection.
> >
> > In follow up to this discussion, I've started working on my output
> > plugin and had a few questions in regards to what happens to alert
> > data between inspection about output processing. In short, I plan on
> > running dual output plugins (custom and unified2) and am interested to
> > know what kind of effects to watch for if my custom output plugin is
> > to slow. What happens if an event is sent to the output plugin, but
> > the output plugin hasn't finished processing the previous event. Is
> > there a queueing mechanism implemented here that will lead to a memory
> > usage spike? Just trying to figure out what sort of things to watch
> > for in my testing.
> >
> > \\korodev
> >
> >
> ------------------------------------------------------------------------------
> > Xperia(TM) PLAY
> > It's a major breakthrough. An authentic gaming
> > smartphone on the nation's most reliable network.
> > And it wants your games.
> > http://p.sf.net/sfu/verizon-sfdev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110407/8009efe1/attachment.html>


More information about the Snort-users mailing list