FLoP is designed to gather alerts with payload from distributed snort sensors on a central server and to store them in a database (PostgreSQL and MySQL are supported). On the sensor, the output is written to a process called sockserv. This process is threaded; one thread receives and buffers the alert packets, and the other thread forwards them to a central server. The output is decoupled from snort, which can proceed in sniffing instead of waiting for the output plugins. At the central server, a process called servsock gathers all alerts from the remote sensors and feeds them to the database. A short description of alerts with high priority together with the database ID can be sent via email to a list of recipients.
|Tags||Networking Monitoring Security Communications Email Database|
|Operating Systems||POSIX Solaris Linux BSD Unix|
Release Notes: Several checks were added, the alert data from Snort got a tag, and a restart of Snort is now checked. getpacket now has base 64 support. The statistics are now generated via the control thread so some signals are no longer necessary. The exit handler was rewritten and a cache for signatures was added. This cache can accelerate the insert rate by up to a factor of two and is implemented as a red black tree. During runtime, the only SELECT statement is for the signature ID, and all other operations are INSERT statements. The idea is to cache all signatures that caused an alert.
Release Notes: The interface name can be included. The database can now be accessed via TCP. The drop and alert feature can be deactivated. Alerts can be dropped without writing the information to the drop socket. A command line option was added to getpacket to avoid following tagged packets. The consistency checks for alert packets were enhanced, and several checks were added. Some bugs were removed, especially one regarding the sensor name, in which parts of the previous connected sensor were appended with a newline.
Release Notes: A control thread was added so that some parameters can be chaned during runtime. The restriction of one snort process per sensor was removed. This way it is also possible to encrypt the communication via stunnel or an SSH tunnel. If the server process gets terminated (SIGINT or SIGTERM), then all cached alerts are save in swap files. The new (unofficial) scheme 107 is supported, and the configure script was enhanced. Recreation of pcap files is now possible on 64-bit systems. Some bugs were fixed.
Release Notes: Event_references is now unique among restarts of snort so that getpacket is able to rebuild only packets of the same tagged session.Additional packet information like MAC addresses and vendor information can be printed out. This release has a -Z option to disable the use of UTC time within the database (the local timezone is used instead). Some minor bugs are fixed and configure makes some additional checks.
Release Notes: With a slight extension of the database, it is possible to rebuild a stream of tagged packets with the program getpacket. rules.pl is now able to work with rules without given priority/classification (this happens mostly with some bleeding snort rules). A lot of minor bugs were fixed. Some are essential for sensors with a small amount of RAM and rebuilding large TCP packets within stream4. Log and error messages are improved.