Re: Barnyard output

[Ralf Spenneberg <lists () spenneberg org>]

Hi Tony,

Am Die, 2003-08-05 um 23.06 schrieb Tony Martin:
> I am trying to figured out exactly what I can gain from installing barnyard. Would anyboby be willing to either send 
> me a peace of a barnyard log or a screen shot to take a look at? You can sanitize any info you don't want me to see, 
> I would just like to see a real example of what it gives you.
The main point in running barnyard is saving time for snort.
Logging is expensive in terms of time. Logging in unified mode is one of
the fastest possible logging options snort offers.
When snort logs to a database itself, this is one of the slowest options
you have got.
Where is the problem? Snort is single-threaded, meaning it can only
process the next packet once the last packet has been processed and
logged.
Logging to a slow plugin might result in dropped packets.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto                                  http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users