[Snort-users] multiple instances of snort and barnyard

Paul Schmehl pauls at ...6838...
Wed Aug 23 14:02:14 EDT 2006


--On Wednesday, August 23, 2006 09:41:05 -0500 Spencer Anderson 
<sanderson at ...11591...> wrote:
>
> Is there a way to run barnyard in batch mode so that each time it's run
> against a file it only processes events that it hasn't processed before?
>
Barnyard does this by default, but you can specify a waldo file if you 
like.
>
> Or, is there a way to have multiple continuous instances of barnyard
> running so each instance can maintain its corresponding snort unified
> log file?
>
Sure.  I run three on one box.  Just create symlinks to the binary - 
barnyard1, barnyard2 and barnyard3.  Then create duplicate startup scripts 
with the right switches for each instance, etc.  The pidfiles should be 
named after each instance so one doesn't negate another.
>
> Or, is there a better way to have each event captured by snort
> associated with the network interface it was detected on?
>
Start three instances of snort, each with its own interface specified. 
Make sure you use the -R switch to append a character to the pid file for 
each instance and specify the location of each logfile, etc., etc.

It's all very doable (I've been doing it for some time now).  You just have 
to think through how to separate the processes and their results so they 
don't "step on" each other.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 4085 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060823/def05fb7/attachment.bin>


More information about the Snort-users mailing list