[Snort-users] what's the difference between alert_fast and alert_unified?

zhaohui yin yinzhaohui at ...11827...
Fri Oct 21 20:16:33 EDT 2005


how can I change to use barnyard ? any suggestion?

I change my snort.conf into :
 output alert_unified: snort.alert
 output log_unified : snort_log

and set the barnyard.conf with:
 output alert_acid_db: mysql, dadabase snort, server localhost, user
snort, password XXX
 output log_acid_db: mysql, dadabase snort, server localhost, user
snort, password XXX

and next step , I don't know, how can I direct the snort output file
into barnyard?


On 10/22/05, Patrick Harper <patrick at ...4250...> wrote:
> Yes, with barnyard
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of zhaohui yin
> Sent: Friday, October 21, 2005 8:32 PM
> To: Matt Kettler
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] what's the difference between alert_fast and
> alert_unified?
>
> thanks.
>
> I am use snort output to mysql ,  use unified output can transfer to
> mysql input?
>
> On 10/21/05, Matt Kettler <mkettler at ...4108...> wrote:
> > zhaohui yin wrote:
> > > Hi all:
> > >     I am confused the snort option about alert_fast /alert_unified,
> > > and want to known in which mode ,snort will run fastest.
> >
> > unified is faster than alert_fast. "alert_fast" is a text-mode log for
> alerts,
> > and while it's fast for text mode, and much faster than alert_full, it's
> still a
> > text log.
> >
> > However, alert_unified is a binary format and you need to use barnyard to
> > post-process the alerts into readable text. The unified binary format lets
> snort
> > dump the alerts to disk with an absolute minimum amount of overhead, as it
> > doesn't need to look up the alert descriptions, etc when logging.
> >
> > >    I run snort with -b -A fast option, any suggestion?
> >
> > By using -b you're already getting some speed benefit, as your packet log
> is
> > binary. Unified would extend this and make both your packet and your alert
> logs
> > binary.
> >
> >
> >
>
>
> --
> yinzhaohui
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
>
>
>


--
yinzhaohui




More information about the Snort-users mailing list