Snort mailing list archives
Re: Barnyard2 and multiple sensors
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 21 Oct 2010 10:52:56 -0400
On 10/20/10 11:40 PM, Russell Fulton wrote:
Hi Folks I am at the point where I need to have more than one snort instance running on a given sensor so we can take advantage of multiple CPUs and thus I will be producing multiple unified2 files on a sensor. Logically there is still just one sensor -- can barnyard2 merge input from more than one input file? I've googled and rtfm'ed and could not find anything that suggested that this is possible. I hope I missed something :) Russell
I setup each Snort instance to log to 1mb unified2 files and then I have a perl script do an LS in the directory every 30 or so seconds, if it sees two or more files from the same instance, then it fires up barnyard2 to process the file. There is some slight lag in the alerts getting to the sensor doing it this way, but it works pretty well for us. I can toss you a copy of the script, init script and a little more info on the Snort output setup if you like. -- Eoin ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard2 and multiple sensors Russell Fulton (Oct 20)
- Re: Barnyard2 and multiple sensors Joel Esler (Oct 20)
- Re: Barnyard2 and multiple sensors Russell Fulton (Oct 20)
- Re: Barnyard2 and multiple sensors Jason Haar (Oct 21)
- Re: Barnyard2 and multiple sensors JJC (Oct 21)
- Re: Barnyard2 and multiple sensors Russell Fulton (Oct 20)
- Re: Barnyard2 and multiple sensors Russell Fulton (Oct 28)
- Re: Barnyard2 and multiple sensors Jim Hranicky (Oct 28)
- Re: Barnyard2 and multiple sensors Mike Lococo (Oct 31)
- Re: Barnyard2 and multiple sensors Billy Marshall (Nov 02)
- Re: Barnyard2 and multiple sensors Joel Esler (Oct 20)
- Re: Barnyard2 and multiple sensors Russell Fulton (Oct 21)
- Re: Barnyard2 and multiple sensors Jim Hranicky (Oct 27)