[Snort-users] Barnyard2 and multiple sensors

Eoin Miller eoin.miller at ...14586...
Thu Oct 21 10:52:56 EDT 2010


On 10/20/10 11:40 PM, Russell Fulton wrote:
> Hi Folks
>
> I am at the point where I need to have more than one snort instance running on a given sensor so we can take advantage of multiple CPUs and thus I will be producing multiple unified2 files on a sensor.  Logically there is still just one sensor -- can barnyard2 merge input from more than one input file?  I've googled and rtfm'ed and could not find anything that suggested that this is possible.  I hope I missed something :)
>
> Russell
>
I setup each Snort instance to log to 1mb unified2 files and then I have 
a perl script do an LS in the directory every 30 or so seconds, if it 
sees two or more files from the same instance, then it fires up 
barnyard2 to process the file. There is some slight lag in the alerts 
getting to the sensor doing it this way, but it works pretty well for us.

I can toss you a copy of the script, init script and a little more info 
on the Snort output setup if you like.

-- Eoin




More information about the Snort-users mailing list