Snort mailing list archives
Re: Run an external program
From: Erek Adams <erek () snort org>
Date: Wed, 5 Mar 2003 13:36:35 -0500 (EST)
On Wed, 5 Mar 2003, Bennett Todd wrote:
If the info carried in the unified log format for Barnyard is desired, then using Barnyard as the framework for the logfile tailing may well be the best engineering solution. But for many applications, the combination of simple fast alert logging to a textfile, or syslog logging of alerts, plus libpcap-format dumpfiles of packet captures for offline forensic analysis, lets you get the job done handily; and I don't know of any reason why Barnyard would be a better logfile tailer than the more generic tools like swatch. And since the unified log format carries more data than fast text alerts or syslog alerts, tailing and processing that file would be more expensive.
Well... Some things that jump out at me: * It's not syslog. :) * It gathers the packet data along w/the alert data. * It understands spooling, and can handle intermitant connectivity. * If it's already in place, the only extra overhead is that of creating a new process (Yeah, that _is_ expensive on whatever OS you are on), and having it do what you want. * It's cleaner. Snort snarfs the packets, BY 'pushes' them into whatever output mechanism it wants. It doesn't care about anything else. *shrugs* Anyway, it's a matter of "use what's best for you". If one of the ideas expressed works and works well, then Go for it! If not, well... We're all just slackers anyway. ;-) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Run an external program Gregory . Kane (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Jack Whitsitt (jofny) (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Jack Whitsitt (jofny) (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)