[Snort-users] (no subject)

Kungu Panda kungupanda at ...11827...
Thu Jun 21 12:49:52 EDT 2012


I am using a single instance of snort to write-out multiple unified
files and then using multiple barnyard2 instances to send to both
syslog and mysql.  Basically sending alerts to a prime and backup
monitoring stations.  No issues or problems; drop two "output
unified2: xxx" directives in snort.conf.

Not sure why anyone would need multiple instances of snort to achieve
the same result.  In fact, it would seem to be wildly inefficient to
run multiple instances of snort to inspect the same traffic.  Of
course, you may have systems and cpu's to burn.

KPanda.


-----Original Message-----
From: Peter Bates [mailto:peter.bates at ...15381...]
Sent: Thursday, June 21, 2012 15:48
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Multiple snorts & Barnyard2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

I was just wondering if I was missing any tricks here
- - and interesting if anyone is doing things differently.

I'm spawning multiple Snort processes - with a different
- -l to write unified2 output into seperate directories.

As a result I'm running multiple Barnyard2 processes, each reading the
directories in continuous mode - and writing to DB and Syslog.

Is this the optimal way of doing things, or am I missing a crafty
command-line option somewhere?

- --
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT




More information about the Snort-users mailing list