[Snort-users] Running snort and barnyard with 3 sniffing interfaces

Joel Esler jesler at ...1935...
Fri Apr 30 01:06:17 EDT 2010


You should have a separate folder for each barnyard. 

--
Sent from my iPad
AIM: eslerjoel

On Apr 30, 2010, at 12:29 AM, Eoin Miller <eoin.miller at ...14586...> wrote:

> I think barnyard only chooses the first file it sees that matches its 
> criteria, and since you have multiple in that folder it will only pick 
> the first one and follow it. This would hold true if all the alerts you 
> are getting are only from your snort1 instance?  Do you really have 
> three seperate copies of the same binary as well?  I would create 
> logging subdirectories for each instance of snort and point each 
> instance of barnyard2 to those subdirectories and see if that takes care 
> of it.
> 
> /var/log/snort/1/
> /var/log/snort/2/
> /var/log/snort/3/
> 
> -- Eoin
> 
> On 4/30/2010 12:10 AM, ccie 6862 wrote:
>> I need a sanity check here, as I'm having a little problem with barnyard. I have a CentOS 5 system with the most recent version of snort and barnyard. The system has 4 interfaces: one is the management interface while the other 3 are the sniffing interfaces with no IP and SPANed on a Cisco switch on 3 different VLANs. Snort on each of the different sniffing interfaces has a different start up script and consequently generates different snort.alert and snort.log files. This all seems to be working correctly.
>> 
>> When I set up barnyard, I've done something similar: there are three different instances of barnyard for each log pair, and consequently each runs with a different waldo, pid file, and configuration configured. They all have "-d /var/log/snort -f snort.log" configured.
>> 
>> Here's the problem. I get a fair amount of hits on the public snort sniffing interface; however, barnyard doesn't add anything to the dump.log file. The other instances of barnyard for the other interfaces appear to dump info into the dump.log file.
>> 
>> This may be of interest, but does anyone see anything I've done wrong?
>> 
>> root      9536 18.8  3.6 226044 145480 ?       Ss   22:44   4:49 /usr/local/bin/snort1 -i eth1 -I -c /etc/snort/snort1.conf -D
>> root      9557  0.0  0.1  49524  4468 pts/1    S    22:44   0:00 /usr/local/bin/barnyard1 -c /etc/snort/barnyard1.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard1.waldo -D -X /var/run/barnyard1.pid
>> root      9576  0.2  2.2 177744 90368 ?        Ss   22:44   0:03 /usr/local/bin/snort2 -i eth2 -I -c /etc/snort/snort2.conf -D
>> root      9599  0.0  0.1  49524  4468 pts/1    S    22:45   0:00 /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D -X /var/run/barnyard2.pid
>> root      9619  0.2  2.2 177740 90360 ?        Ss   22:45   0:03 /usr/local/bin/snort3 -i eth3 -I -c /etc/snort/snort3.conf -D
>> root      9640  0.0  0.1  49524  4468 pts/1    S    22:46   0:00 /usr/local/bin/barnyard3 -c /etc/snort/barnyard3.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard3.waldo -D -X /var/run/barnyard3.pid
>> 
>> 
>> Thank you.
>> 
>> 
>> 
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list