Re: Barnyard's explained

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi Jason,

> Obviously it would be best to have Snort dump to disk (unified format), and
> to rsync that data at (say) ten-minute intervals to a SEPARATE box, which
> has barnyard to dump the data into a SQL DB. That way there's nothing by I/O
> and network traffic involved in generating the data - all the CPU is
> available for "pure" sniffing.

maybe you should take a look at FLoP: http://www.geschke-online.de/FLoP/
This project does something similar, all output is written to a unix socket
where another process reads this data and simply forwards it to a central
server running a further process which feeds the database.

The INSERTs on the central server are done via an unix domain socket and
not via TCP so it should be by far faster. (And at least you don't even
need a hard disk on your sensor...)

Best regards

Dirk



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users