Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort output

From: Bamm Visscher <bamm () satx rr com>
Date: Tue, 5 Aug 2003 10:18:17 -0500
I _think_ you can enable multiple output plugins in barnyard, but I have never tried. That would be the best solution.  
I don't see why ACID couldn't be converted to use the sguildb schema, if one decided they wanted to tackle that (huge) 
job.  BTW, xscriptd (the sguil component responsible for generating 'transcripts' using tcpflow) doesn't read unified 
files, but the binary logs created by log_packets.sh (which is just a shell script for staring snort in packet logger 
mode).  When designing sguil, I tried coming up w/a good way for only having to run one snort proc on the sensor, but 
ran into problems with the way unified out is designed. I wish we could use unified alert for BY/sguil and -b (binary) 
for logging packets, but unified alert doesn't contain packet info. The other option would be to run one instance of 
snort logging all packets (log ip any any -> any any;) and alerts to unified out. Then having barnyard read the spool 
file and write to sguildb and pcap.  That's a lot of reading/writing and wasted IO in my opinion, although I am far 
from an expert on how to efficiently use resources on a sensor. Chris will probably come back and tell me what an idiot 
I am and that running multiple snort procs is wasting more important resources than spooling unified to pcap.

Bammkkkk
 
On Tue, Aug 05, 2003 at 08:13:41AM -0600, Slighter, Tim wrote:

i can understand what you are saying and what i am attempting to accomplish
will most likely push the system beyond the limit.  but the goal is to drop
all alerts into the MySQL database, retrievable by ACID and at the same time
have a unified converted to binary for tcpflow and barnyard.  have been
using sguil and i suppose that the php scripts could be reconfigured in ACID
to extract the sguildb data instead.  




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: