Snort mailing list archives

Re: Quick Barnyard question...

From: Dirk Geschke <dirk () geschke-online de>
Date: Thu, 11 Aug 2005 21:46:17 +0200

Hi Jeff,

Probably stoooopid question, but I can't hold back any longer:

I'm starting to look into barnyard (number of sensors is growing, need to centralize reporting, moving toward sguil 
as a goal...) but I haven't been able to find a good quick overview of what it does.  I know it accepts unified alert 
files and can feed databases for later analysis, but specifically:

* Is there a Barnyard "master" that sits on the database server, collecting alert files from all the sensors and 
loading into a database?


No, each snort-sensor runs barnyard which does it's inserts in the
database via the network.

* Is there a Barnyard "agent" that moves unified alerts from the sensor to the "master"?


The barnyard process on the snort machine reads the unified alerts
and stores them directly in the database.

* Or does Barnyard just run on each sensor and writes back SQL to a common backend database server?


You got it.

If you are looking for something which works like your first two 
points: Take a look at FLoP

  http://www.geschke-online.de/FLoP/

Here one agents runs on every sensor and forwards the alert to a central
master process which sits on the central database server. This process
does all the necessary inserts in the database via an unix socket. So
the database does not need to open a TCP socket at all. But it is
strongly recommended to use a separate network for the communciation
between snort and the database server. This counts for both, the
barnyard solution or if you use FLoP.

Best regards

Dirk


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Quick Barnyard question... Jeff Kell (Aug 11)
- Re: Quick Barnyard question... Paul Schmehl (Aug 11)
- Re: Quick Barnyard question... Dirk Geschke (Aug 11)
- <Possible follow-ups>
- Re: Quick Barnyard question... Mihai Petre (Aug 11)
  - Re: Quick Barnyard question... Paul Schmehl (Aug 11)
- Re: Quick Barnyard question... Mihai Petre (Aug 11)
  - Re: Quick Barnyard question... Paul Schmehl (Aug 11)
  - Re: Quick Barnyard question... Jeff Kell (Aug 11)
    - Re: Quick Barnyard question... Paul Schmehl (Aug 11)
    - Re: Quick Barnyard question... Joel Esler (Aug 13)
- RE: Quick Barnyard question... Min Qiu (Aug 11)
- RE: Quick Barnyard question... Min Qiu (Aug 15)
  - Re: Quick Barnyard question... Joel Esler (Aug 15)

(Thread continues...)