[Snort-users] More questions on Snort/barnyard
pauls at ...6838...
Thu Jan 31 12:09:29 EST 2008
--On Wednesday, January 30, 2008 23:37:48 -0500 sudhakar govindavajhala
<sudhakarg79spam at ...11827...> wrote:
> 0) Snort box will face the Internet. 400 Megabit connection. How many alerts
> can I expect? I want to estimate the disk requirements etc.
That depends entirely on what rules you will use, whether or not you use
threshholding, what you do for log maintenance and a host of other issues that
only you can answer.
> 1) Is there any obvious mistake with this command line:
> [root at ...274... snort]# barnyard -c /etc/barnyard.conf -s
> /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
> /etc/snort/classification.config -d /var/log/snort -f snort.log
You're missing -D which daemonizes barnyard.
> 2) Why do I get this error? How can I shut this off? Is this warning a
> WARNING: Unable to extract timestamp file extension from 'snort.log'
Shut what off?
> 3) What is a good size to set for files below?
># Two arguments are supported.
># filename - base filename to write to (current time_t is appended)
># limit - maximum size of spool file in MB (default: 128)
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
> What happens when the file size (128) is reached? Does Snort die or restart?
The defaults are fine. When they're reached, snort simply starts a new logfile.
> 4) I briefly looked at implementation of barnyard. I may be wrong here. How
> does barnyard poll the directory? Is it busy-looping?
It watches for new entries in the log.
> 5) What is the difference between alert and log? I am thinking alert is the
> human readable version. What is the difference between snort.log and
You really need to learn how to do your own research. Most of your questions
have already been asked hundreds of times and answered.
Paul Schmehl (pauls at ...6838...)
Senior Information Security Analyst
The University of Texas at Dallas
More information about the Snort-users