[Snort-users] More questions on Snort/barnyard

sudhakar govindavajhala sudhakarg79spam at ...11827...
Wed Jan 30 23:37:48 EST 2008


Hi all,



Thanks for your help.   I have few more questions about barnyard and Snort.


0) Snort box will face the Internet. 400 Megabit  connection. How many
alerts can I expect?  I want to estimate the disk requirements etc.


1) Is there any obvious mistake with this command line:
[root at ...274... snort]# barnyard -c /etc/barnyard.conf  -s /etc/snort/sid-
msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -d
/var/log/snort -f snort.log



2) Why do I get this error?  How can I shut this off?  Is this warning a
problem?
WARNING: Unable to extract timestamp file extension from 'snort.log'



3) What is a good size to set for files below?

# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
 output alert_unified: filename snort.alert, limit 128
 output log_unified: filename snort.log, limit 128

What happens when the file size (128) is reached? Does Snort die or restart?


4) I briefly looked at implementation of barnyard. I may be wrong here. How
does barnyard poll the directory? Is it busy-looping?

5) What is the difference between alert and log?  I am thinking alert is the
human readable version.  What is the difference between snort.log and
snort.log.timestamp?

5) Should I pass "alert" to barnyard?


6) output alert_unified: filename snort.alert, limit 128
 output log_unified: filename snort.log, limit 128

I see the file snort.log.   Why is snort.alert missing?

[root at ...274... snort]# ls -l
total 464
-rw------- 1 root snort  14214 Jan 30 14:33 alert
-rw-r--r-- 1 root root  380336 Jan 30 14:33 snort.log
-rw------- 1 root root    1186 Jan 30 13:57 snort.log.1201719126
-rw------- 1 root root    7410 Jan 30 14:01 snort.log.1201719513
-rw------- 1 root root   40834 Jan 30 14:33 snort.log.1201719677
[root at ...274... snort]#


--Sudhakar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080130/78be1eb7/attachment.html>


More information about the Snort-users mailing list