Snort mailing list archives

Re: Q: Barnyard on multiple interfaces

From: "Andrew R. Baker" <andrewb () snort org>
Date: Thu, 14 Aug 2003 22:45:12 -0400

Gordon Cunningham wrote:

I'm having problems with running snort on 3-4 interfaces on the same machine
(separate invocations, conf and log files - one for each interface), and
running barnyard to pick up the logs and insert them into a remote ACID
MySQL database (again, separate invocation and conf files - one for each
interface).  The main problem I'm seeing is either the db inserts don't work
at all, or all implementations of barnyard input the same info into all
sensor ID's (the primary snort interface).

You probably need to adjust your Barnyard configuration files to eitherproperly specify the interface name or the sensor id you want eventsinserted as in the database.

Specifying the sensor id directly is easiest, you just change the valuefor the sensor_id argument in the XXX_acid_db output plugin. Eachinterface you run Snort on will need to have its own sensor id.

If you want to be fancier, you can remove the sensor_id optioncompletely from the XXX_acid_db output plugin and instead set theinterface and hostname config variables. Doing this will cause Barnyardto query the database for the appropriate sensor id and create a new oneif necessary. Setting these values would be done with the followinglines in the Barnyard configuration file:


config interface: eth0
config hostname: snorthost

I recommend the 2nd choice, since that matches more closely to whatSnort does. You can also specify the BPF filter used for the sensorinstance if you want with:


config filter: not port 22

Let me know if either of the above methods does not fix the problem youare seeing.


-A



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

acid woes Bryan Irvine (Aug 13)
- <Possible follow-ups>
- Re: acid woes JP Vossen (Aug 14)
- Acid Woes Michael J. McCasland (Aug 14)
  - Q: Barnyard on multiple interfaces Gordon Cunningham (Aug 14)
    - Re: Q: Barnyard on multiple interfaces Andrew R. Baker (Aug 14)
  - Re: Acid Woes Bryan Irvine (Aug 14)