Snort mailing list archives
Re: Barnyard output
From: AGM <anothergoodman () yahoo com>
Date: Wed, 6 Aug 2003 05:23:40 -0700 (PDT)
And one other nice feature of Barnyard - in a WAN environment with multiple sniffing sites, where a central database is across a WAN link from the sniffers, Barnyard can insure that a loss of connection to the database won't become a loss of data, pushing it into the database when the connection is restored. This depends on the local disk space and "spooling" to the log files that snort writes and where barnyard gets its input from. Bardyard can also keep track of what records/files have been processed if, say, your sniffer box crashes or is rebooted. - AGM --- Ralf Spenneberg <lists () spenneberg org> wrote:
Hi Tony, Am Die, 2003-08-05 um 23.06 schrieb Tony Martin:I am trying to figured out exactly what I can gain from installing barnyard. Would anyboby be willing to either send me a peace of a barnyard log or a screen shot to take a look at? You can sanitize
any
info you don't want me to see, I would just like
to
see a real example of what it gives you.The main point in running barnyard is saving time for snort. Logging is expensive in terms of time. Logging in unified mode is one of the fastest possible logging options snort offers. When snort logs to a database itself, this is one of the slowest options you have got. Where is the problem? Snort is single-threaded, meaning it can only process the next packet once the last packet has been processed and logged. Logging to a slow plugin might result in dropped packets. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard output Tony Martin (Aug 05)
- RE: Barnyard output Scott Renna (Aug 05)
- Re: Barnyard output Jon Baer (Aug 05)
- Re: Barnyard output Stevo (Aug 05)
- Re: Barnyard output Jon Baer (Aug 05)
- Re: Barnyard output Stevo (Aug 05)
- Re: Barnyard output Ralf Spenneberg (Aug 06)
- Re: Barnyard output AGM (Aug 06)
- Re: Barnyard output Erek Adams (Aug 06)