The network intrusion detection system snort captures network traffic. Each of those packets is first processed by the preprocessors. Here, among other things, the packets are reassembled on IP or TCP basis or are normalized like http traffic. After this stage the packet is either discarded (for the snort process) or forwarded to the detection engine. The detection engine applies several rule sets on this packet. If one rule matches an alert is generated and all output plugins are called sequentially to process this packet and the related informations like which rule generated the alert.
After the whole chain is worked through the next network packet can be analyzed. All packets arrived in between have to be buffered either by the kernel or the libpcap. If there are too many network packets and/or snort takes too long for processing the individual packets (or one output plugin blocks) it is likely that some packets are dropped.
So on a heavy network attack a lot of packets may be dropped due to the fact that snort is working on the output processing. On the other hand if there is no traffic snort will be idle.
One solution is to decouple the output plugins from snort. Why should snort bother about the various formats of alerts or how to insert the packets in a database? It would be of a great advantage to restrict snort to only detect alerts.
This is where FLoP starts. It decouples the output plugins from snort, gathers all alerts and sends them to a central server. At the server they where collected and inserted into a database for further processing. Additionally all alerts are buffered until they are processed (or where explicitly dropped by a configuration parameter if too many alerts are buffered).