Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Snort detection/reliability affected by dbms communication?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort detection/reliability affected by dbms communication?


Posted by uva_snort on July 07, 2005 00:54:09

This crossed my mind earlier and I still need to know what is true about this from some experts:
Is Snort in any way, but for most regarding detection and reliability, affected by the communication with a dbms?

According to the readme of FLop (http://www.geschke-online.de/FLoP/README):
"The problem with the normal database output plugin is that snort
is blocked until all data is written to the database. If there are
any problems with the database then snort is hunging and probably
some network packets get lost."

Is this really affecting snort and how?

Posted by brevizniak on July 09, 2005 07:53:26

Yes. Using DB output directly from snort causes the process to block until the DB wirk is complete. This means that you may not be able to inspect packets while performing database operations.

You should be using unified output in snort and barnyard to handle the database work out of band if performance is a major concern.

Barnyard is available from snort.org in the download section

http://www.snort.org/dl/barnyard/
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.