The snort patch contains the following changes:
+ a new output plugin called "alert_unixsock_db" which is similar to the existing "alert_unixsock" but contains some more relevant alert data.
+ changes the portscan alert message. The old one is quite useless, it would result in different alert messages due to different source IP addresses or different time during which the scan was run
+ adds '-Z' (with newer versions it is '-x' option to print statistics to a unix socket (yes, the preprocessor perfmonitor does nearly the same but this is only with newer snort versions and this option is a little bit older and still part of the patch!)
since version 2.1.3 the patch contains a further command line option:
+ '-Q' is added: This will quiet the snort to not write any
alerts or logs to /var/log/snort
(With version 2.3 this option will be labled '-Y' since
snort_inline uses '-Q' option.)
+ therefore a log_null output plugin was added
+ alert_unixsock_db is able to also catch the log packets with or without the alerts. If log and alert are to be written to the unix socket then only one packet is written for the same rule! (requires FLoP-1.3.0 or better.)
There is one big limitation with this project:
You can only use one snort process for a remote sensor!
Ok, this restriction is removed with version 1.5.0 of FLoP, now the sensor has to provide a sensor name (if not mentioned it is the hostname).