Re: Snortsam patch for 2.9.3.1

[Paul Schmehl <pschmehl_lists () tx rr com>]

The idea behind by2 is to offload the processing of data from snort.  Snort 
writes binary files to the hard drive and then by2 processes those for 
whatever output format you want to use.  With networks routinely using 10GB 
pipes now, a sniffer app doesn't need to be doing extra work.  It's 
burdened enough just keeping up with the traffic flows.

by2 can parse unified2 files, so both snort and sagan files can be read by 
by2.

--On November 19, 2012 12:50:51 PM -0500 waldo kitty 
<wkitty42 () windstream net> wrote:

> On 11/19/2012 12:34, Joel Esler wrote:
> > All output methods are available there.  Leaving Snort to do its job as
> > an IDS.
>
> i love bikinis! they're short and to the point ;) OB-) [/DOM]
>
>
> but seriously... other than analysis of the alert file and possibly
> looking at  the packets saved in the snort.log.xxxxxxxxxx files, what
> benefits are there for  these small systems?
>
> you still need some kind of "front end" right?
>
> can barnyard2 be added without loosing or changing what is already
> available in  the existing alert and snort.log.xxxxxxxxxx files?
> hopefully the answer is "yes"  so that existing practice can still be
> used while BY2 is being incorporated and  learned (based on the real
> benefits it may offer)...
>
> > Sent from my iPhone
> >
> > On Nov 19, 2012, at 12:28 PM, waldo kitty<wkitty42 () windstream net>
> > wrote:
> >
> > > On 11/19/2012 02:27, Robert Z wrote:
> > > > Yes, everyone should use barnyard2 when possible.
> > >
> > > besides shoveling the snort alerts off to a database, what other
> > > benefits does barnyard2 offer? especially for those small sites that do
> > > not or want need a database...
>
>
>
> -------------------------------------------------------------------------
> ----- Monitor your physical, virtual and cloud infrastructure from a
> single web console. Get in-depth insight into apps, servers, databases,
> vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!