[Snort-users] Quick Barnyard question...
dirk at ...10648...
Thu Aug 11 12:46:14 EDT 2005
> Probably stoooopid question, but I can't hold back any longer:
> I'm starting to look into barnyard (number of sensors is growing, need to centralize reporting, moving toward sguil as a goal...) but I haven't been able to find a good quick overview of what it does. I know it accepts unified alert files and can feed databases for later analysis, but specifically:
> * Is there a Barnyard "master" that sits on the database server, collecting alert files from all the sensors and loading into a database?
No, each snort-sensor runs barnyard which does it's inserts in the
database via the network.
> * Is there a Barnyard "agent" that moves unified alerts from the sensor to the "master"?
The barnyard process on the snort machine reads the unified alerts
and stores them directly in the database.
> * Or does Barnyard just run on each sensor and writes back SQL to a common backend database server?
You got it.
If you are looking for something which works like your first two
points: Take a look at FLoP
Here one agents runs on every sensor and forwards the alert to a central
master process which sits on the central database server. This process
does all the necessary inserts in the database via an unix socket. So
the database does not need to open a TCP socket at all. But it is
strongly recommended to use a separate network for the communciation
between snort and the database server. This counts for both, the
barnyard solution or if you use FLoP.
More information about the Snort-users