[Snort-users] Barnyard2 and multiple sensors

Jim Hranicky jfh at ...5250...
Wed Oct 27 21:37:58 EDT 2010


>> I am at the point where I need to have more than one snort instance
 >> running on a given sensor so we can take >> advantage of multiple CPUs
>> and thus I will be producing multiple unified2 files on a sensor. Logically
>> there is still just one sensor -- can barnyard2 merge input from more than
 >> one input file? I've googled and rtfm'ed and could not find anything that
>> suggested that this is possible. I hope I missed something :)

FWIW, here's the processes on our new test sensor:

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort1 net 10.0.0.0/10
barnyard2 -i eth2.1 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort1

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort2 net 10.64.0.0/10
barnyard2 -i eth2.2 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort2

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort3 net 10.128.0.0/10 
 
barnyard2 -i eth2.3 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort3

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort4 net 10.192.0.0/10
barnyard2 -i eth2.4 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort4

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort5 net XX.XX.0.0/17
barnyard2 -i eth2.5 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort5

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort6 net XX.XX.128.0/17 
 
barnyard2 -i eth2.6 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort6

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort7 net XX.XX.0.0/17
barnyard2 -i eth2.7 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort7

/opt/local/bin/snort -i eth2 -c /etc/snort/ufirt-snort.conf -l /var/log/snort8 net XX.XX.128.0/17
barnyard2 -i eth2.8 -n -c /opt/local/etc/barnyard2/by2-1.conf -f snort.u2 -d /var/log/snort8

This seems to be working very well for us.

--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida








More information about the Snort-users mailing list