Re: Multiple snorts & Barnyard2

[Joel Esler <jesler () sourcefire com>]

You should look into the afpacket capture method in daq.

On Thu, Jun 21, 2012 at 1:25 PM, Naresh Narang <
nnarang () guardiananalytics com> wrote:

> It's on Solaris 10. Yes currently using -i directive but it starts up two
> instances. I'll need to check if IPMP can be done on NICs with no IPs.
>
> --Naresh
>
> -----Original Message-----
> From: Kungu Panda [mailto:kungupanda () gmail com]
> Sent: Thursday, June 21, 2012 10:22 AM
> To: Naresh Narang
> Cc: snort-users () lists sourceforge net
> Subject: [Snort-users] Multiple snorts & Barnyard2
>
> linux:   yes, look into ifenslave/bonding.
> windows:   i have no idea.
>
> Or maybe multiple "-i " nic directives can be specified on the snort
> commandline, never tried that.
>
> KPanda
>
>
> On Thu, Jun 21, 2012 at 5:06 PM, Naresh Narang <
> nnarang () guardiananalytics com> wrote:
> > Ok case in point. I have to monitor traffic coming in on two NICs. Can I
> monitor with one instance running?
> > --Naresh
> > Sent from my iPhone
> >
> > On Jun 21, 2012, at 9:52 AM, "Kungu Panda" <kungupanda () gmail com> wrote:
> >
> > > I am using a single instance of snort to write-out multiple unified
> > > files and then using multiple barnyard2 instances to send to both
> > > syslog and mysql.  Basically sending alerts to a prime and backup
> > > monitoring stations.  No issues or problems; drop two "output
> > > unified2: xxx" directives in snort.conf.
> > >
> > > Not sure why anyone would need multiple instances of snort to achieve
> > > the same result.  In fact, it would seem to be wildly inefficient to
> > > run multiple instances of snort to inspect the same traffic.  Of
> > > course, you may have systems and cpu's to burn.
> > >
> > > KPanda.
> > >
> > >
> > > -----Original Message-----
> > > From: Peter Bates [mailto:peter.bates () ucl ac uk]
> > > Sent: Thursday, June 21, 2012 15:48
> > > To: snort-users () lists sourceforge net
> > > Subject: [Snort-users] Multiple snorts & Barnyard2
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > >
> > > Hello all
> > >
> > > I was just wondering if I was missing any tricks here
> > > - - and interesting if anyone is doing things differently.
> > >
> > > I'm spawning multiple Snort processes - with a different
> > > - -l to write unified2 output into seperate directories.
> > >
> > > As a result I'm running multiple Barnyard2 processes, each reading
> > > the directories in continuous mode - and writing to DB and Syslog.
> > >
> > > Is this the optimal way of doing things, or am I missing a crafty
> > > command-line option somewhere?
> > >
> > > - --
> > > Peter Bates
> > > Senior Computer Security Officer    Phone: +44(0)2076792049
> > > Information Services Division       Internal Ext: 32049 University
> > > College London London WC1E 6BT
> > >
> > > ---------------------------------------------------------------------
> > > ---------
> > > Live Security Virtual Conference
> > > Exclusive live event will cover all the ways today's security and
> > > threat landscape has changed and how IT managers can respond.
> > > Discussions will include endpoint security, mobile security and the
> > > latest in malware threats.
> > > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!