Snort mailing list archives

More questions on Snort/barnyard

From: "sudhakar govindavajhala" <sudhakarg79spam () gmail com>
Date: Wed, 30 Jan 2008 23:37:48 -0500

Hi all,



Thanks for your help.   I have few more questions about barnyard and Snort.


0) Snort box will face the Internet. 400 Megabit  connection. How many
alerts can I expect?  I want to estimate the disk requirements etc.


1) Is there any obvious mistake with this command line:
[root@localhost snort]# barnyard -c /etc/barnyard.conf  -s /etc/snort/sid-
msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -d
/var/log/snort -f snort.log



2) Why do I get this error?  How can I shut this off?  Is this warning a
problem?
WARNING: Unable to extract timestamp file extension from 'snort.log'



3) What is a good size to set for files below?

# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
 output alert_unified: filename snort.alert, limit 128
 output log_unified: filename snort.log, limit 128

What happens when the file size (128) is reached? Does Snort die or restart?


4) I briefly looked at implementation of barnyard. I may be wrong here. How
does barnyard poll the directory? Is it busy-looping?

5) What is the difference between alert and log?  I am thinking alert is the
human readable version.  What is the difference between snort.log and
snort.log.timestamp?

5) Should I pass "alert" to barnyard?


6) output alert_unified: filename snort.alert, limit 128
 output log_unified: filename snort.log, limit 128

I see the file snort.log.   Why is snort.alert missing?

[root@localhost snort]# ls -l
total 464
-rw------- 1 root snort  14214 Jan 30 14:33 alert
-rw-r--r-- 1 root root  380336 Jan 30 14:33 snort.log
-rw------- 1 root root    1186 Jan 30 13:57 snort.log.1201719126
-rw------- 1 root root    7410 Jan 30 14:01 snort.log.1201719513
-rw------- 1 root root   40834 Jan 30 14:33 snort.log.1201719677
[root@localhost snort]#


--Sudhakar

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

More questions on Snort/barnyard sudhakar govindavajhala (Jan 30)
- Re: More questions on Snort/barnyard sudhakar govindavajhala (Jan 30)
- Re: More questions on Snort/barnyard Paul Schmehl (Jan 31)
  - Re: More questions on Snort/barnyard sudhakar govindavajhala (Jan 31)