[Snort-users] More questions on Snort/barnyard

Paul Schmehl pauls at ...6838...
Thu Jan 31 12:09:29 EST 2008


--On Wednesday, January 30, 2008 23:37:48 -0500 sudhakar govindavajhala 
<sudhakarg79spam at ...11827...> wrote:
>
> 0) Snort box will face the Internet. 400 Megabit  connection. How many alerts
> can I expect?  I want to estimate the disk requirements etc.
>

That depends entirely on what rules you will use, whether or not you use 
threshholding, what you do for log maintenance and a host of other issues that 
only you can answer.

>
> 1) Is there any obvious mistake with this command line:
> [root at ...274... snort]# barnyard -c /etc/barnyard.conf  -s
> /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
> /etc/snort/classification.config -d /var/log/snort -f snort.log
>

You're missing -D which daemonizes barnyard.

>
>
> 2) Why do I get this error?  How can I shut this off?  Is this warning a
> problem?
> WARNING: Unable to extract timestamp file extension from 'snort.log'
>

Shut what off?

>
>
> 3) What is a good size to set for files below?
>
># Two arguments are supported.
>#    filename - base filename to write to (current time_t is appended)
>#    limit    - maximum size of spool file in MB (default: 128)
>#
>  output alert_unified: filename snort.alert, limit 128
>  output log_unified: filename snort.log, limit 128
>
> What happens when the file size (128) is reached? Does Snort die or restart?
>

The defaults are fine.  When they're reached, snort simply starts a new logfile.

>
> 4) I briefly looked at implementation of barnyard. I may be wrong here. How
> does barnyard poll the directory? Is it busy-looping?
>

It watches for new entries in the log.

> 5) What is the difference between alert and log?  I am thinking alert is the
> human readable version.  What is the difference between snort.log and
> snort.log.timestamp?
>

You really need to learn how to do your own research.  Most of your questions 
have already been asked hundreds of times and answered.

<http://www.snort.org/docs/faq/3Q06/node73.html>

-- 
Paul Schmehl (pauls at ...6838...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/





More information about the Snort-users mailing list