Snort mailing list archives
Re: Barnyard and multiple snort processes
From: Doug Burks <doug.burks () gmail com>
Date: Sat, 10 Nov 2012 05:58:27 -0500
Hi Greg, Yes, you will need a barnyard2 process for each instance of snort. You might want to take a look at our scripts in Security Onion 12.04 Beta. You set your desired number of processes and the scripts then automatically spin up that many snort instances in a pfring-cluster and a barnyard2 process for each of them: http://code.google.com/p/security-onion/wiki/Beta Thanks, Doug On Fri, Nov 9, 2012 at 6:17 PM, Greg Williams <gwillia5 () uccs edu> wrote:
After I reconfigured the server earlier this week I noticed that I should have way more alerts than I was getting within the alert file. Here is my configuration in Barnyard –**** ** ** output alert_fast: /var/log/snort/alert**** output database: log, mysql, user=snort password=xxxxxxx dbname=snort host=localhost**** ** ** I’m only getting alerts for 1 snort process. I know this because when I stop the 4 snort processes and look at the alerts only the last one matches up with the amount of alerts I see in my database and the alert log.**** ** ** Do I need to make multiple barnyard processes as well? This is for the last 5 minutes of testing:**** ** ** snort[10470]: Alerts: 41 ( 0.001%)**** snort[10475]: Alerts: 59 ( 0.001%)**** snort[10479]: Alerts: 66 ( 0.001%)**** snort[10481]: Alerts: 62 ( 0.001%)**** ** ** Alert output: only 62**** ** ** 10614 ? 00:00:17 snort**** 10620 ? 00:00:10 snort**** 10624 ? 00:00:09 snort**** 10626 ? 00:00:00 snort**** 10483 ? 00:00:00 barnyard2**** ** ** ** ** ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks http://securityonion.blogspot.com
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard and multiple snort processes Greg Williams (Nov 09)
- Re: Barnyard and multiple snort processes James Lay (Nov 09)
- Message not available
- Re: Barnyard and multiple snort processes James Lay (Nov 10)
- Message not available
- Re: Barnyard and multiple snort processes James Lay (Nov 09)
- Re: Barnyard and multiple snort processes Doug Burks (Nov 10)