Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Running multiple Barnyards -"Say What :-0"

From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Fri, 8 Apr 2005 19:40:50 -0400
If I understand what you are saying, this blows my mind.
I had always assumed that one could only run one(1) snort process per NIC.
This presents a problem because some departments need more scrutiny than
others,for example: the Legal Department or the Public Relations Department
or Accounting Department. My guess is that in our installation that the database
is so busy handling inserts from the sensors and generating the metadata
from the alerts in acid tables that our performance suffers not to mention
the fact that all the tables are in one database. 
Again, if I understand what you are saying then on the sensors
I could use BPF to create more than one sensor on one machine for example:
I could create snort sensors for the high visibility departments
while using the default snort sensor to catch all traffic for event correlation of
all alerts in the organization, in order to answer the question:
Is a script kiddie scanning all machines for an open port or is some one
carrying out recon on a particular machine.
Is my understanding correct?
The alerts from these [ficticious] departments [I made them up to demonstrate my point]
is small and often gets lost in the crush of alerts overall.  Acid in my opinion
is not designed to  maintain and search separate acid_event_caches for particular hosts, networks or events
in order for analysts or the system admins to analyze events. One side effect is that I could
deploy WINDOWs ACID boxes in departments for the sysadmins to report events that
might not raise alarm bells with me because I may not know what is going at that
low a level in the department but would with the system admin.
Is it imperative that you have Barnyard running on the Sensor to run more than one
snort process on one NIC or can one use database output
plugins in snort?

If my understanding is correct, then you have just rocked my world.
Please let me know.
Thanks
Raymond

------------ Original Message -------
Date: Wed, 06 Apr 2005 08:38:56 -0400
From: "Andrew R. Baker" <andrewb () snort org>
To: Peter Barton <PBarton () iesi com>
Cc: Snort-users () lists sourceforge net
Subject: Running multiple Barnyards (was Re: [Snort-users] Can Snort monitor
 multiple VLANs?)

Peter Barton wrote:


My question to everyone is, what if you use Barnyard to write to MySql
and have Snort just write to binary files.  I still have multiple
instances of Snort running, but I can only seem to get one instance of
Barnyard running.  Is there a trick to this or am I just going about
this the wrong way?


You should run multiple Barnyards if you are running multiple Snorts.
Are you using the -X option on the command line to specify different PID 
files for each Barnyard process?  I have succesfully run around a 
hundred Barnyards on one system as part of testing.

-A


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: