Re: Barnyard2 alternatives?

[Doug Burks <doug.burks () gmail com>]

Hi Richard,

Yes, we've also experienced performance issues when running multiple
barnyard2 instances connecting to the same database with the database
output plugin.  However, the barnyard2 output plugins for Sguil and
syslog seem to work well for us.  Have you considered replacing Snorby
with Sguil/Squert or some standard log collector like ELSA?

On Tue, Aug 4, 2015 at 8:25 AM, Richard Monk <rmonk () redhat com> wrote:
> Hi folks!
>
> TL;DR: Barnyard2 takes forever to start and I have a hundred instances that need
> to start on a system.  Pigsty doesn't work, are there alternates?
>
> I took a look through the mailing list archive and have been doing some Google
> searches, and so far I've come up empty with a solution to my problem.  I
> apologize if this has been asked before.
>
> Currently, we have a sensornet that uses snort + barnyard2 + snorby for
> monitoring, but we started having issues if a large number of alerts came
> through on the geodistant sensors (sometimes we could get 1 alert/second or less
> at maximum speed, going clear around the world).  We would also get some strange
> sync issues with barnyard2, when barnyard2 needed to restart sometimes the
> sensor table would be locked when another barnyard is checking, and it would fail.
>
> I fixed this by moving the barnyard2 instances local to the database and using
> inotify + rsync to push the unified files to a central server, then running
> multiple barnyard2 locally.  This works really well both for alerting and alert
> archiving, but we have a new issue and I wanted your take on it.
>
> - Barnyard2 takes awhile to start due to caching.  Restarting all the instances
> (16) right now takes 20+ minutes, even with only one barnyard updating the
> sig_reference table and the others not.
>
> - We are switching to multiprocess snort to handle our 1+ Gbps links, and so now
> I'm looking at 50-60 barnyards running, expanding to 150+ in a year or so.
>
> I took a look at pigsty, but it hasn't been touched in a few years and I got a
> lot of crashes when reading our historical unified files (making me think it's
> going to fail then, too)
>
> I'm wondering if someone else has had this issue, and if they have a solution?
> My thoughts on a new service would:
>
> - Allow for processing multiple directories/sensors in a single process (maybe
> one thread per sensor internally)
>
> - Check and refresh the sid-msg.map when it changes so you don't have to restart
> it on rule changes
>
> If you know of something that works but doesn't write to the snort DB schema,
> I'm OK with that as we have some internal tools that we are using that are
> slowly replacing Snorby.  Is there a patchset to barnyard2 maybe that does
> multiple sensors at once, or improves startup time?
>
> --
> Richard Monk (rmonk () redhat com) - Security Analyst
> Red Hat, Raleigh NC
> GPG Key ID: 0x942CDB25
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!