[Snort-users] Barnyard's explained

Jason Haar Jason.Haar at ...294...
Wed Jul 21 02:36:08 EDT 2004

On Tue, Jul 20, 2004 at 07:33:22PM -0700, Tom Fulton wrote:
> Can someone explain what the benefit is of using Barnyard?
> I understand that the unified output plug in allows Snort to write alerts
> and logs into a single binary file which frees up processing from the
> detection engine (as apposed to writing to a flat file, etc) so that Snort
> runs faster overall.  However, Snort does that by itself.   I'm not clear on
> what value Barnyard adds to this.

What do you mean by "Snort does that by itself" then? 

Barnyard needs to be compared with getting Snort to output directly into a
SQL backend. The latter means Snort is constrained (blocked) when the alerts
are generating more data than the backend SQL database can handle. With
barnyard, snort "just dumps" the data straight to disk (much faster than
pushing into a SQL DB), and barnyard post-processes it into SQL out-of-band.

Obviously it would be best to have Snort dump to disk (unified format), and
to rsync that data at (say) ten-minute intervals to a SEPARATE box, which
has barnyard to dump the data into a SQL DB. That way there's nothing by I/O
and network traffic involved in generating the data - all the CPU is
available for "pure" sniffing.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list