Re: Multiple snorts & Barnyard2

[beenph <beenph () gmail com>]

On Thu, Jun 21, 2012 at 11:47 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> I was just wondering if I was missing any tricks here
> - - and interesting if anyone is doing things differently.
>
> I'm spawning multiple Snort processes - with a different
> - -l to write unified2 output into seperate directories.
>
> As a result I'm running multiple Barnyard2 processes, each reading the
> directories in continuous mode - and writing to DB and Syslog.
>
> Is this the optimal way of doing things, or am I missing a crafty
> command-line option somewhere?

It is currently the best way to handle things.

I personally think its a good way to be able to manage instances
separatly even if barnyard2 is not involved in the process, for
signature, configuration, etc...

Logging unified2 file of multiple snort  process in a single directory
even if you would have different prefix could
lead to  potential error when trying to manually manipilate the files
for example.

-elz



> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP40InAAoJELhVoVpEMS6RwSkIAKKZY5r4XkpBOqjJwdZMxIzM
> 8vXLfYae1vJ9JTmo+bstjDHR/ls9BScwoQAqthmFzwwkqWCn4kHgp2eFlWukQsCL
> /EuBMIjUItOlz3JpfCnmQqiALFPfNDS90TxUPufTKoi1SpGr+p3Bkw4At37Z3U6M
> v8wWsU7dImlScSfObBN5DqeAB44S6DiLN1I5nFoJ2i9JJcFmOZPuPBeY9wrW6gqb
> cIsAg6sgwYkhnnY/txaADucncrlhZdWPy3iy5oPSbopJfOpjCuw1TPLYc+j35NQN
> eB15mWemzZ8MtUAh9iN/posQIxgcbOI+bDjpPnvysSHCb7klNsw/1N/17OiIJJs=
> =lcX5
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!