[Snort-users] More questions on Snort/barnyard

Paul Schmehl pauls at ...6838...
Thu Jan 31 12:09:29 EST 2008

--On Wednesday, January 30, 2008 23:37:48 -0500 sudhakar govindavajhala 
<sudhakarg79spam at ...11827...> wrote:
> 0) Snort box will face the Internet. 400 Megabit  connection. How many alerts
> can I expect?  I want to estimate the disk requirements etc.

That depends entirely on what rules you will use, whether or not you use 
threshholding, what you do for log maintenance and a host of other issues that 
only you can answer.

> 1) Is there any obvious mistake with this command line:
> [root at ...274... snort]# barnyard -c /etc/barnyard.conf  -s
> /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
> /etc/snort/classification.config -d /var/log/snort -f snort.log

You're missing -D which daemonizes barnyard.

> 2) Why do I get this error?  How can I shut this off?  Is this warning a
> problem?
> WARNING: Unable to extract timestamp file extension from 'snort.log'

Shut what off?

> 3) What is a good size to set for files below?
># Two arguments are supported.
>#    filename - base filename to write to (current time_t is appended)
>#    limit    - maximum size of spool file in MB (default: 128)
>  output alert_unified: filename snort.alert, limit 128
>  output log_unified: filename snort.log, limit 128
> What happens when the file size (128) is reached? Does Snort die or restart?

The defaults are fine.  When they're reached, snort simply starts a new logfile.

> 4) I briefly looked at implementation of barnyard. I may be wrong here. How
> does barnyard poll the directory? Is it busy-looping?

It watches for new entries in the log.

> 5) What is the difference between alert and log?  I am thinking alert is the
> human readable version.  What is the difference between snort.log and
> snort.log.timestamp?

You really need to learn how to do your own research.  Most of your questions 
have already been asked hundreds of times and answered.


Paul Schmehl (pauls at ...6838...)
Senior Information Security Analyst
The University of Texas at Dallas

More information about the Snort-users mailing list