[Snort-users] Session data, alerts, and barnyard

Ed Quackenbush equackenbush at ...289...
Tue Jun 11 08:42:04 EDT 2002


Marty-

I found the answer after some subsequent searching in your initial
announcement for barnyard.  What I am looking for is the full packet log for
alerts, which from your description is not included in the unified alerts
output from snort.

My goal is to extract the maximum amount of information from snort outputs
without crippling the performance.  The xml output from snort seems to have
all the data I could want for both alerts and logs, but from colleagues who
attended Thursday's users group (which I'm very sorry I missed), there was a
performance concern for high traffic devices.  The binary unified output
seems to be the format to use for performance, for which I can use barnyard
for the decode as well.  So, are there any options for getting the full
packet log for alerts in the binary format that I may have missed, and if
not, is there potential to include it (or reasons not to)?

Also, I understand that there was mention of a time based rollover for log
output files Thursday evening.  I would like to suggest a signal approach as
well.  

Thanks,
Edward Quackenbush
equackenbush at ...289...




More information about the Snort-users mailing list