Snort mailing list archives

Re: Barnyard2 and multiple sensors

From: Jim Hranicky <jfh () ufl edu>
Date: Wed, 27 Oct 2010 21:37:58 -0400

I am at the point where I need to have more than one snort instance
running on a given sensor so we can take >> advantage of multiple CPUs
and thus I will be producing multiple unified2 files on a sensor. Logically
there is still just one sensor -- can barnyard2 merge input from more than
one input file? I've googled and rtfm'ed and could not find anything that
suggested that this is possible. I hope I missed something :)


FWIW, here's the processes on our new test sensor:

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort1 net 10.0.0.0/10
barnyard2 -i eth2.1 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort1

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort2 net 10.64.0.0/10
barnyard2 -i eth2.2 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort2

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort3 net 10.128.0.0/10 
 
barnyard2 -i eth2.3 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort3

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort4 net 10.192.0.0/10
barnyard2 -i eth2.4 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort4

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort5 net XX.XX.0.0/17
barnyard2 -i eth2.5 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort5

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort6 net XX.XX.128.0/17 
 
barnyard2 -i eth2.6 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort6

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort7 net XX.XX.0.0/17
barnyard2 -i eth2.7 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort7

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort8 net XX.XX.128.0/17
barnyard2 -i eth2.8 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort8

This seems to be working very well for us.

--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida





------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Barnyard2 and multiple sensors, (continued)
- - - Re: Barnyard2 and multiple sensors Jason Haar (Oct 21)
    - Re: Barnyard2 and multiple sensors JJC (Oct 21)
  - Re: Barnyard2 and multiple sensors Russell Fulton (Oct 28)
    - Re: Barnyard2 and multiple sensors Jim Hranicky (Oct 28)
    - Re: Barnyard2 and multiple sensors Mike Lococo (Oct 31)
    - Re: Barnyard2 and multiple sensors Billy Marshall (Nov 02)
- Re: Barnyard2 and multiple sensors Eoin Miller (Oct 21)
- Re: Barnyard2 and multiple sensors Mike Lococo (Oct 21)
  - Re: Barnyard2 and multiple sensors Russell Fulton (Oct 21)
- Re: Barnyard2 and multiple sensors Jun Wan (Oct 27)
  - Re: Barnyard2 and multiple sensors Jim Hranicky (Oct 27)