Re: Barnyard and multiple snort processes

[James Lay <jlay () slave-tothe-box net>]

On 2012-11-09 16:17, Greg Williams wrote:
> After I reconfigured the server earlier this week I noticed that I
> should have way more alerts than I was getting within the alert file.
> Here is my configuration in Barnyard -
>
> output alert_fast: /var/log/snort/alert
>
> output database: log, mysql, user=snort password=xxxxxxx dbname=snort
> host=localhost
>
> I'm only getting alerts for 1 snort process. I know this because when
> I stop the 4 snort processes and look at the alerts only the last one
> matches up with the amount of alerts I see in my database and the
> alert log.
>
> Do I need to make multiple barnyard processes as well? This is for 
> the
> last 5 minutes of testing:
>
> snort[10470]: Alerts: 41 ( 0.001%)
>
> snort[10475]: Alerts: 59 ( 0.001%)
>
> snort[10479]: Alerts: 66 ( 0.001%)
>
> snort[10481]: Alerts: 62 ( 0.001%)
>
> Alert output: only 62
>
> 10614 ? 00:00:17 snort
>
> 10620 ? 00:00:10 snort
>
> 10624 ? 00:00:09 snort
>
> 10626 ? 00:00:00 snort
>
> 10483 ? 00:00:00 barnyard2

Indeed....each snort instance must have it's own barnyard instance.

James



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!