Snort mailing list archives
Running multiple Barnyards -"Say What :-0"
From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Fri, 8 Apr 2005 19:40:50 -0400
If I understand what you are saying, this blows my mind. I had always assumed that one could only run one(1) snort process per NIC. This presents a problem because some departments need more scrutiny than others,for example: the Legal Department or the Public Relations Department or Accounting Department. My guess is that in our installation that the database is so busy handling inserts from the sensors and generating the metadata from the alerts in acid tables that our performance suffers not to mention the fact that all the tables are in one database. Again, if I understand what you are saying then on the sensors I could use BPF to create more than one sensor on one machine for example: I could create snort sensors for the high visibility departments while using the default snort sensor to catch all traffic for event correlation of all alerts in the organization, in order to answer the question: Is a script kiddie scanning all machines for an open port or is some one carrying out recon on a particular machine. Is my understanding correct? The alerts from these [ficticious] departments [I made them up to demonstrate my point] is small and often gets lost in the crush of alerts overall. Acid in my opinion is not designed to maintain and search separate acid_event_caches for particular hosts, networks or events in order for analysts or the system admins to analyze events. One side effect is that I could deploy WINDOWs ACID boxes in departments for the sysadmins to report events that might not raise alarm bells with me because I may not know what is going at that low a level in the department but would with the system admin. Is it imperative that you have Barnyard running on the Sensor to run more than one snort process on one NIC or can one use database output plugins in snort? If my understanding is correct, then you have just rocked my world. Please let me know. Thanks Raymond ------------ Original Message ------- Date: Wed, 06 Apr 2005 08:38:56 -0400 From: "Andrew R. Baker" <andrewb () snort org> To: Peter Barton <PBarton () iesi com> Cc: Snort-users () lists sourceforge net Subject: Running multiple Barnyards (was Re: [Snort-users] Can Snort monitor multiple VLANs?) Peter Barton wrote:
My question to everyone is, what if you use Barnyard to write to MySql and have Snort just write to binary files. I still have multiple instances of Snort running, but I can only seem to get one instance of Barnyard running. Is there a trick to this or am I just going about this the wrong way?
You should run multiple Barnyards if you are running multiple Snorts. Are you using the -X option on the command line to specify different PID files for each Barnyard process? I have succesfully run around a hundred Barnyards on one system as part of testing. -A ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Running multiple Barnyards -"Say What :-0" Jacob, Raymond A Jr (Apr 08)