bleh wrote:
Your attacks aren't going to work. Your argument is flawed.
well, the game is entirely different then. lets engage in more
meaningless banter.
[...]
There is absolutely no advantage to writing to the DB directly from the
engine. How are you doing your job effectively while wasting time being
pedantic?
Who says I was wasting time? Again you make assumptions as not to only
what my environment is but also as to what hours I work.
no, I make assumptions, based on experience, that your assertion that
direct DB writes from the engine have some value is absolutely incorrect.
[...]
Exactly. Your *trying* to tell me about my car, of which you know
nothing about, and are only making assumptions.
well, it seems that the car you are driving is Snort. Feel free to take
your Toyota to the dealer and tell them it is designed wrong, I bet you
are met with similar distrust in your assessment.
[...]
The numbers speak for themselves. I have a large testbed with a nice mix
of traffic (from avalanche, reflector, smartbits, metasploit, canvas,
threatx and live traffic just to name a few) at hundreds of megs per
second with no issues writing to a DB, dropping packets or missing
events (comparing against an equivalent system using unified2 / flop
watching the same traffic) . So what am I going to believe? Physical
proof or FUD? I'm going with physical proof.
This is moderately interesting.
What processors?
What network cards?
What configuration, db local, not?
How much traffic?
What mix?
...
All you have managed to state is that you have created a moderately
performing snort install that has a lot of test gear handling your
contrived cases.
$ 4 $, unified output will win every time, in every case, in every way.
Since you did not provide what config, preprocessors, rules, hardware
and OS we should all be running on does this mean you don't think one
size fits all? Or ,is that the one thing you aren't willing to make an
assumption about?
It means that the position you chose to take is provably incorrect. You
have realized this and instead of admitting it attempted to deflect with
more conjecture. Please let me be clear one last time.
There is absolutely no valid reason to choose direct DB writes over
unified spooling.
Your continued participation in the conversation without any actual
evidence of a valid reason is proof. Attempt to deflect and muddy the
waters all you want, you are wrong, have been from the start, and
apparently will be until you get a new anonymous mail address.
Simple is the man that hides himself instead of representing his beliefs
openly.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
