Snort mailing list archives

Re: Running snort and barnyard with 3 sniffing interfaces

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 30 Apr 2010 01:06:17 -0400

You should have a separate folder for each barnyard. 

--
Sent from my iPad
AIM: eslerjoel

On Apr 30, 2010, at 12:29 AM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:

I think barnyard only chooses the first file it sees that matches its 
criteria, and since you have multiple in that folder it will only pick 
the first one and follow it. This would hold true if all the alerts you 
are getting are only from your snort1 instance?  Do you really have 
three seperate copies of the same binary as well?  I would create 
logging subdirectories for each instance of snort and point each 
instance of barnyard2 to those subdirectories and see if that takes care 
of it.

/var/log/snort/1/
/var/log/snort/2/
/var/log/snort/3/

-- Eoin

On 4/30/2010 12:10 AM, ccie 6862 wrote:

I need a sanity check here, as I'm having a little problem with barnyard. I have a CentOS 5 system with the most 
recent version of snort and barnyard. The system has 4 interfaces: one is the management interface while the other 3 
are the sniffing interfaces with no IP and SPANed on a Cisco switch on 3 different VLANs. Snort on each of the 
different sniffing interfaces has a different start up script and consequently generates different snort.alert and 
snort.log files. This all seems to be working correctly.

When I set up barnyard, I've done something similar: there are three different instances of barnyard for each log 
pair, and consequently each runs with a different waldo, pid file, and configuration configured. They all have "-d 
/var/log/snort -f snort.log" configured.

Here's the problem. I get a fair amount of hits on the public snort sniffing interface; however, barnyard doesn't 
add anything to the dump.log file. The other instances of barnyard for the other interfaces appear to dump info into 
the dump.log file.

This may be of interest, but does anyone see anything I've done wrong?

root      9536 18.8  3.6 226044 145480 ?       Ss   22:44   4:49 /usr/local/bin/snort1 -i eth1 -I -c 
/etc/snort/snort1.conf -D
root      9557  0.0  0.1  49524  4468 pts/1    S    22:44   0:00 /usr/local/bin/barnyard1 -c 
/etc/snort/barnyard1.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w 
/var/log/snort/barnyard1.waldo -D -X /var/run/barnyard1.pid
root      9576  0.2  2.2 177744 90368 ?        Ss   22:44   0:03 /usr/local/bin/snort2 -i eth2 -I -c 
/etc/snort/snort2.conf -D
root      9599  0.0  0.1  49524  4468 pts/1    S    22:45   0:00 /usr/local/bin/barnyard2 -c 
/etc/snort/barnyard2.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w 
/var/log/snort/barnyard2.waldo -D -X /var/run/barnyard2.pid
root      9619  0.2  2.2 177740 90360 ?        Ss   22:45   0:03 /usr/local/bin/snort3 -i eth3 -I -c 
/etc/snort/snort3.conf -D
root      9640  0.0  0.1  49524  4468 pts/1    S    22:46   0:00 /usr/local/bin/barnyard3 -c 
/etc/snort/barnyard3.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w 
/var/log/snort/barnyard3.waldo -D -X /var/run/barnyard3.pid


Thank you.






------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Running snort and barnyard with 3 sniffing interfaces ccie 6862 (Apr 29)
- Re: Running snort and barnyard with 3 sniffing interfaces Eoin Miller (Apr 29)
  - Re: Running snort and barnyard with 3 sniffing interfaces Joel Esler (Apr 29)