[Snort-users] Barnyard's explained

Alejandro Flores alejandro.flores at ...11361...
Wed Jul 21 04:56:03 EDT 2004


	Hi,

	Logging to a binary file is pretty fast, and reduces the overhead in
snort. 
	Logging to a database directly from snort may cause some troubles.
Snort waits the output of the database plugin to continue the process.
If your database is heavy loaded, it may slow down snort. If your
database shuts down, snort will fall. 
	When using barnyard, if the database fails, barnyard will fail, but
snort will still logging.
	You can use barnyard for continuous processing where each alert
generated by snort in the unified log is processed immediately by
barnyard.
	You can use barnyard for post processing the logs where the unified log
will be processed by barnyard when you want.
	Wouldn't be nice to have a central database where you can store the
data of all your sensors? You just have to download the unified log of
each sensor and process each one with barnyard, using different
barnyard.conf for each sensor. And use ACID to analise and co-relate the
data.

Regards, 
Alejandro Flores

> Can someone explain what the benefit is of using Barnyard?
> 
> I understand that the unified output plug in allows Snort to write
> alerts and logs into a single binary file which frees up processing
> from the detection engine (as apposed to writing to a flat file, etc)
> so that Snort runs faster overall.  However, Snort does that by
> itself.   I'm not clear on what value Barnyard adds to this.
> 
> thanks
> 




More information about the Snort-users mailing list