[Snort-users] multiple instances of snort and barnyard
pauls at ...6838...
Wed Aug 23 14:02:14 EDT 2006
--On Wednesday, August 23, 2006 09:41:05 -0500 Spencer Anderson
<sanderson at ...11591...> wrote:
> Is there a way to run barnyard in batch mode so that each time it's run
> against a file it only processes events that it hasn't processed before?
Barnyard does this by default, but you can specify a waldo file if you
> Or, is there a way to have multiple continuous instances of barnyard
> running so each instance can maintain its corresponding snort unified
> log file?
Sure. I run three on one box. Just create symlinks to the binary -
barnyard1, barnyard2 and barnyard3. Then create duplicate startup scripts
with the right switches for each instance, etc. The pidfiles should be
named after each instance so one doesn't negate another.
> Or, is there a better way to have each event captured by snort
> associated with the network interface it was detected on?
Start three instances of snort, each with its own interface specified.
Make sure you use the -R switch to append a character to the pid file for
each instance and specify the location of each logfile, etc., etc.
It's all very doable (I've been doing it for some time now). You just have
to think through how to separate the processes and their results so they
don't "step on" each other.
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 4085 bytes
Desc: not available
More information about the Snort-users