Re: barnyard to db

[Chris Green <cmg () uab edu>]

"Frank Reid" <fcreid () ourcorner org> writes:

> I'm confused on barnyard.  From mailing list discussion and docs, I
> presume it rolls up the Snort binary output and performs the database
> insertions directly (rather than having Snort insert "real-time" into
> the database via the output preprocessor).  

Right.  It means the postprocessing of the alert is separated from the
alert itself.

> Is that's correct, then is it of most value if Snort and the
> database live on the same box?  

No. 

> In a distributed Snort sensor environment, one would have to
> "collect" the Snort output by some other means, then have barnyard
> read it into the database?

Right or write a barnyard plugin that sends the files over the
network. Think of snort + barnyard as "portable threads".

Snort does the logging.  Barnyard sends the alerts that once can then
process in whatever way they please while handling bursty traffic.
-- 
Chris Green <cmg () uab edu>
You now have 14 minutes to reach minimum safe distance.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users