FLoP is designed to gather alerts with payload
from distributed snort sensors on a central server
and to store them in a database (PostgreSQL and
MySQL are supported). On the sensor, the output is
written to a process called sockserv. This process
is threaded; one thread receives and buffers the
alert packets, and the other thread forwards them
to a central server. The output is decoupled from
snort, which can proceed in sniffing instead of
waiting for the output plugins. At the central
server, a process called servsock gathers all
alerts from the remote sensors and feeds them to
the database. A short description of alerts with
high priority together with the database ID can be
sent via email to a list of recipients.
