[Snort-users] Barnyard2 and multiple sensors

Jim Hranicky jfh at ...5250...
Thu Oct 28 23:59:33 EDT 2010


On Fri, 29 Oct 2010 16:39:55 +1300
Russell Fulton <r.fulton at ...3809...> wrote:

> I have poked though the source and played with putting the filters on the command line but am
> really none the wiser -- anything I put on the commandline seems to be ignored completly.
> 
> >From the source I think barnyard is supposed to take a filter on the commandline and us it to
> >select sid but it still writes the pid file as barnyard2_<int>.pid so this will fail ???
> 
> Russell (the confused! -- so what is new:)

Use the -i option: 

  USAGE: barnyard2 [-options] <filter options>
  Gernal (sic) Options:
         [..]
        -i <if>    Define the interface <if>. For logging purposes only

I'm using 

  -i eth2.<num> 

as shown in my previous message. This gives the following sensor table: 

    mysql> select * from sensor where last_cid > 0 and not hostname like '%NULL' order by interface;
    +-----+-----------------+-----------+--------+--------+----------+----------+
    | sid | hostname        | interface | filter | detail | encoding | last_cid |
    +-----+-----------------+-----------+--------+--------+----------+----------+
    |   3 | sensor:eth2.1 | eth2.1    | NULL   |      1 |        0 |  2787507 |
    |   5 | sensor:eth2.2 | eth2.2    | NULL   |      1 |        0 |     7302 |
    |   4 | sensor:eth2.3 | eth2.3    | NULL   |      1 |        0 |  1882146 |
    |  11 | sensor:eth2.4 | eth2.4    | NULL   |      1 |        0 |  1254538 |
    |   9 | sensor:eth2.5 | eth2.5    | NULL   |      1 |        0 |   959531 |
    |   7 | sensor:eth2.6 | eth2.6    | NULL   |      1 |        0 |   853294 |
    |   8 | sensor:eth2.7 | eth2.7    | NULL   |      1 |        0 |   626225 |
    |  10 | sensor:eth2.8 | eth2.8    | NULL   |      1 |        0 |   138331 |
    +-----+-----------------+-----------+--------+--------+----------+----------+

--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida




More information about the Snort-users mailing list