[Snort-users] Data Collection Help

Andrew R. Baker andrewb at ...950...
Wed Nov 21 13:49:03 EST 2001

Lance Spitzner wrote:
> The Honeynet Project is beginning to collect data from various
> distributed Honeynets.  One of our primary weapons for data capture
> is Snort.  Question, what are some of the best practices for
> data collection for distributed Snort sensors?  We are currently
> doing the following, any additional ideas GREATLY appreciated.
>  - MySQL backend for Snort alerts, ACID interface
>  - Daily copy of Snort binary log files
> If you have any more recommendations on what Snort data should
> be collected, in what format, or how it can be organized, that
> would be greatly appreciated.  For example, are there any options
> besides ACID?


you may want to consider using the unified logging output option instead
of the standard logging method.  In addition to storing the raw packets,
it will also give you access to all of the alerting and session tagging
information generated from the detection engine.  The unified output
plugin allows you to specify a maximum size of the file created and
appends the time that the file was created to the filename.  The
log_pcap plugin is very stable and will allow you produce files
identical to the Snort binary log files that you are using now.  Also,
if you need a custom output plugin from barnyard, we should be able to
accomodate you.  One piece of software that is being considered is a
barnyard net spooler, this would be a client/server pair that would
allow barnyard files to be spooled over the network to a central
server.  The details of how this would be implemented are still being
worked on.


More information about the Snort-users mailing list