[Snort-users] Running multiple Barnyards -"Say What :-0"
Jacob, Raymond A Jr
raymond.jacob at ...7622...
Fri Apr 8 16:41:20 EDT 2005
If I understand what you are saying, this blows my mind.
I had always assumed that one could only run one(1) snort process per NIC.
This presents a problem because some departments need more scrutiny than
others,for example: the Legal Department or the Public Relations Department
or Accounting Department. My guess is that in our installation that the database
is so busy handling inserts from the sensors and generating the metadata
from the alerts in acid tables that our performance suffers not to mention
the fact that all the tables are in one database.
Again, if I understand what you are saying then on the sensors
I could use BPF to create more than one sensor on one machine for example:
I could create snort sensors for the high visibility departments
while using the default snort sensor to catch all traffic for event correlation of
all alerts in the organization, in order to answer the question:
Is a script kiddie scanning all machines for an open port or is some one
carrying out recon on a particular machine.
Is my understanding correct?
The alerts from these [ficticious] departments [I made them up to demonstrate my point]
is small and often gets lost in the crush of alerts overall. Acid in my opinion
is not designed to maintain and search separate acid_event_caches for particular hosts, networks or events
in order for analysts or the system admins to analyze events. One side effect is that I could
deploy WINDOWs ACID boxes in departments for the sysadmins to report events that
might not raise alarm bells with me because I may not know what is going at that
low a level in the department but would with the system admin.
Is it imperative that you have Barnyard running on the Sensor to run more than one
snort process on one NIC or can one use database output
plugins in snort?
If my understanding is correct, then you have just rocked my world.
Please let me know.
------------ Original Message -------
Date: Wed, 06 Apr 2005 08:38:56 -0400
From: "Andrew R. Baker" <andrewb at ...950...>
To: Peter Barton <PBarton at ...13242...>
Cc: Snort-users at lists.sourceforge.net
Subject: Running multiple Barnyards (was Re: [Snort-users] Can Snort monitor
Peter Barton wrote:
> My question to everyone is, what if you use Barnyard to write to MySql
> and have Snort just write to binary files. I still have multiple
> instances of Snort running, but I can only seem to get one instance of
> Barnyard running. Is there a trick to this or am I just going about
> this the wrong way?
You should run multiple Barnyards if you are running multiple Snorts.
Are you using the -X option on the command line to specify different PID
files for each Barnyard process? I have succesfully run around a
hundred Barnyards on one system as part of testing.
More information about the Snort-users