[Snort-users] barnyard to db

Chris Green cmg at ...671...
Thu Oct 4 09:17:02 EDT 2001


"Frank Reid" <fcreid at ...691...> writes:

> I'm confused on barnyard.  From mailing list discussion and docs, I
> presume it rolls up the Snort binary output and performs the database
> insertions directly (rather than having Snort insert "real-time" into
> the database via the output preprocessor).  

Right.  It means the postprocessing of the alert is separated from the
alert itself.

> Is that's correct, then is it of most value if Snort and the
> database live on the same box?  

No. 

> In a distributed Snort sensor environment, one would have to
> "collect" the Snort output by some other means, then have barnyard
> read it into the database?

Right or write a barnyard plugin that sends the files over the
network. Think of snort + barnyard as "portable threads".

Snort does the logging.  Barnyard sends the alerts that once can then
process in whatever way they please while handling bursty traffic.
-- 
Chris Green <cmg at ...671...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-users mailing list