[Snort-users] Download latest source for barnyard2 (securixlive.com is down)

beenph beenph at ...11827...
Thu Feb 3 13:35:05 EST 2011


On Thu, Feb 3, 2011 at 1:05 PM, Martin Holste <mcholste at ...11827...> wrote:
>> More advanced?
>> Stay tune in 2011 for BY2.
>>
>
> Advanced, as in, I can trivially code custom tasks like to do a lookup
> to my CMDB as alerts roll in, or <do whatever you want> with alert as
> it rolls in.  Or how about sending an RST?
> Net::RawIP->new({ip => { saddr => '1.1.1.1', daddr => '2.2.2.2' }, tcp
> => { source => 1000, dest => 80, rst => 1 }})->send();
> (Flexresp in Snort has been a nightmare for me.)
>
>> Perl is nice, but having perl running for a while can also create
>> surprises, mainly related to memory usage.
>> But if you have enough ram not to care i guess its all kosher.
>>
>
> ^^
> s/perl/any poorly tested program/i
>
> Anyway, the more the merrier--I look forward to your new code.
>

>From what i understand you would like to have barnyard to be reactive,
this could easely be done
with an output plugin, on the other end tho you have to consider the
response time versus the process.

Snort -> unified2 file -> barnyard -> output.

Obviously if you have a specific type of ruleset running in a
dedicated snort instance and a dedicated barnyard
for this task this can be more responsive.

But the focus mainly is to remove most of the bug / issues from the
existing core and allow peope to write
dedicated output pluggins they find usefull.

For sure perl can be flexible but i will stand on my opinion that its
not easy to write efficient perl when its
ultimately looping forever, you have to take alot of care while doing
that and since more perl write hack in
changed, its usualy not build that way.




More information about the Snort-users mailing list