[Snort-devel] More questions on Snort/barnyard

sudhakar govindavajhala sudhakarg79spam at ...2499...
Wed Jan 30 23:46:17 EST 2008


One last question for the night.

Can anyone give me a /etc/rc.d/init.d/barnyard script that I could use for
barnyard?

Sudhakar



On 1/30/08, sudhakar govindavajhala <sudhakarg79spam at ...2499...> wrote:
>
>
>
> Hi all,
>
>
>
> Thanks for your help.   I have few more questions about barnyard and
> Snort.
>
>
> 0) Snort box will face the Internet. 400 Megabit  connection. How many
> alerts can I expect?  I want to estimate the disk requirements etc.
>
>
> 1) Is there any obvious mistake with this command line:
> [root at ...196... snort]# barnyard -c /etc/barnyard.conf  -s /etc/snort/sid-
> msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -d
> /var/log/snort -f snort.log
>
>
>
> 2) Why do I get this error?  How can I shut this off?  Is this warning a
> problem?
> WARNING: Unable to extract timestamp file extension from 'snort.log'
>
>
>
> 3) What is a good size to set for files below?
>
> # Two arguments are supported.
> #    filename - base filename to write to (current time_t is appended)
> #    limit    - maximum size of spool file in MB (default: 128)
> #
>  output alert_unified: filename snort.alert, limit 128
>  output log_unified: filename snort.log, limit 128
>
> What happens when the file size (128) is reached? Does Snort die or
> restart?
>
>
> 4) I briefly looked at implementation of barnyard. I may be wrong here.
> How does barnyard poll the directory? Is it busy-looping?
>
> 5) What is the difference between alert and log?  I am thinking alert is
> the human readable version.  What is the difference between snort.log and
> snort.log.timestamp?
>
> 5) Should I pass "alert" to barnyard?
>
>
> 6) output alert_unified: filename snort.alert, limit 128
>  output log_unified: filename snort.log, limit 128
>
> I see the file snort.log.   Why is snort.alert missing?
>
> [root at ...196... snort]# ls -l
> total 464
> -rw------- 1 root snort  14214 Jan 30 14:33 alert
> -rw-r--r-- 1 root root  380336 Jan 30 14:33 snort.log
> -rw------- 1 root root    1186 Jan 30 13:57 snort.log.1201719126
> -rw------- 1 root root    7410 Jan 30 14:01 snort.log.1201719513
> -rw------- 1 root root   40834 Jan 30 14:33 snort.log.1201719677
> [root at ...196... snort]#
>
>
> --Sudhakar
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20080130/ca8272af/attachment.html>


More information about the Snort-devel mailing list