[Snort-devel] Re: [Snort-users] Distributed Snort

Frank Knobbe fknobbe at ...337...
Fri Nov 15 14:01:08 EST 2002

On Thu, 2002-11-14 at 13:54, Matthew Callaway wrote:
> I just thought I'd throw in my two cents on this issue.  Here's an idea
> that skips all the new development work you're talking about.
> In your "distributed snort" environment, have each sensor log packets to
> unified format log files.  Have these log files encrypted by the
> log-rotation process (via gpg) and mailed to your central server.
> Receive the log files, de-crypt them, then run barnyard on your spooled
> log files to feed the database.
> Each component of this process already exists in some form (snort,
> unified logs, gpg, mail, barnyard, mysql, etc).  The only extra work is
> knitting it all together.  Having data mailed takes care of sporadic
> network conditions (mail servers spool data).  Barnyard already does the
> work of feeding the DB, and serializing the process keeps a lid on
> scalability.


to me that concept sounds a bit cumbersome, with too many things to go
wrong (script stopped, etc). I prefer to have the sensors report the
data into a central location in real-time (with exception of network
outage in which case the sensors queues it up in Barnyard).

Barnyard seems bit under-developed to me. Compare the output-plugins of
Snort to those of Barnyard. I'll never understand why Barnyard wasn't
reusing the code of the output plugins of Snort. Certainly the internal
structs and calls could have been written in a compatible form so that
no one has to reinvent/recode the wheel...err... output plugins. Maybe
even stick the src of Barnyard (minus the dp_xxx files) into a sub
folder in the Snort tree with it's own make file that build Barnyard
right out of the Snort source.

Anyhow, since there is apparently no interest in such a input plugin
from others, I'll just hack that into my version.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20021115/130b1c25/attachment.sig>

More information about the Snort-devel mailing list