[Snort-users] Fwd: [barnyard2-users] Can get barnyard2 to read from Snort log but won't write to alert file

waldo kitty wkitty42 at ...14940...
Mon Jul 22 17:54:48 EDT 2013


On 7/22/2013 17:28, mulhern wrote:
>
>     plus, i do not run barnyard ;) O:)
>
> Oh, how do you use Snort then? I was getting the impression that the accepted
> way was to plunk Snort output to unified for speed and then have barnyard decode
> what it's got.

what do you mean? snort runs on its own... nothing else is needed... all the 
other tools are for correlating the alerts with the traffic and other activities 
on the network so that blocks can be initiated or dropped, infestations can be 
detected and possibly blocked while letting the infested machine's owner know 
about the infestation and other similar tasks...

in my case, i use an auto-response tool that reacts to snorts alerts... that 
tool initiates and manages automatic blocking of IPs causing alerts to be raised 
by snort... my users are taught that if they cannot get to some site or there is 
a problem downloading files, they are to ask the security team to check and see 
if the site was blocked... at that point, it is up to the security team and 
management to decide if the block is proper or should be dismissed... depending 
on the situation, the user may even receive a reprimand for trying to go to a 
site that is not allowed by network policy...

aside from all of that, we use the raw pcaps and the information from the snort 
alert... we don't really need anything else at this time... no fancy graphs, no 
fancy charts and no reports... management doesn't have time for all that 
muckity-muck and we're not going to give it to them anyway O:)

-BOfH-

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list