NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2010-10

Re: [Snort-users] Barnyard2 and multiple sensors

From: Russell Fulton (r.fultonauckland.ac.nz)
Date: Thu Oct 28 2010 - 22:39:55 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 21/10/2010, at 5:18 PM, Joel Esler wrote:

> Run two instances of Barnyard as well.
>

OK, reworked all my scripts to handle multiple instances of barnyard but I have just realised that I can't find anyway of telling barnyard2 which sid to use. Nor does it allow a filter option as barnyard (acid output plugin) did.

So if you are splitting traffic on a single interface between two snort instances how do we configure barnyard2 so that it does not trip over itself with respect to sids.

I have poked though the source and played with putting the filters on the command line but am really none the wiser -- anything I put on the commandline seems to be ignored completly.

>From the source I think barnyard is supposed to take a filter on the commandline and us it to select sid but it still writes the pid file as barnyard2_<int>.pid so this will fail ???

Russell (the confused! -- so what is new:)

> Joel
>
> On Oct 20, 2010, at 11:40 PM, Russell Fulton wrote:
>
>> Hi Folks
>>
>> I am at the point where I need to have more than one snort instance running on a given sensor so we can take advantage of multiple CPUs and thus I will be producing multiple unified2 files on a sensor. Logically there is still just one sensor -- can barnyard2 merge input from more than one input file? I've googled and rtfm'ed and could not find anything that suggested that this is possible. I hope I missed something :)
>
> --
> Joel Esler
> 302-223-5974
>

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]