Snort mailing list archives
Re: Run an external program
From: Bennett Todd <bet () rahul net>
Date: Wed, 5 Mar 2003 13:48:09 -0500
2003-03-05T13:36:35 Erek Adams:
* It's not syslog. :) * It gathers the packet data along w/the alert data.
Those are the differences, yes, and for some applications they argue in favour of Barnyard, for others they argue against it. Really depends on local needs and wishes.
* It understands spooling, and can handle intermitant connectivity. * If it's already in place, the only extra overhead is that of creating a new process (Yeah, that _is_ expensive on whatever OS you are on), and having it do what you want.
Those are the same either way. Unified log format -> barnyard, simple alert file or syslog -> swatch or any other off-the-shelf logfile tailer. Same machinery, same consequences.
* It's cleaner. Snort snarfs the packets, BY 'pushes' them into whatever output mechanism it wants. It doesn't care about anything else.
It's equally clean, we're talking the same architecture either way, just a different logfile format and a different logfile tailer. -Bennett
Attachment:
_bin
Description:
Current thread:
- Run an external program Gregory . Kane (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Jack Whitsitt (jofny) (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Jack Whitsitt (jofny) (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)
- Re: Run an external program Bennett Todd (Mar 05)
- Re: Run an external program Erek Adams (Mar 05)