[Snort-users] Barnyard2 alternatives?

Richard Monk rmonk at ...4096...
Tue Aug 4 08:25:42 EDT 2015


Hi folks!

TL;DR: Barnyard2 takes forever to start and I have a hundred instances that need
to start on a system.  Pigsty doesn't work, are there alternates?

I took a look through the mailing list archive and have been doing some Google
searches, and so far I've come up empty with a solution to my problem.  I
apologize if this has been asked before.

Currently, we have a sensornet that uses snort + barnyard2 + snorby for
monitoring, but we started having issues if a large number of alerts came
through on the geodistant sensors (sometimes we could get 1 alert/second or less
at maximum speed, going clear around the world).  We would also get some strange
sync issues with barnyard2, when barnyard2 needed to restart sometimes the
sensor table would be locked when another barnyard is checking, and it would fail.

I fixed this by moving the barnyard2 instances local to the database and using
inotify + rsync to push the unified files to a central server, then running
multiple barnyard2 locally.  This works really well both for alerting and alert
archiving, but we have a new issue and I wanted your take on it.

- Barnyard2 takes awhile to start due to caching.  Restarting all the instances
(16) right now takes 20+ minutes, even with only one barnyard updating the
sig_reference table and the others not.

- We are switching to multiprocess snort to handle our 1+ Gbps links, and so now
I'm looking at 50-60 barnyards running, expanding to 150+ in a year or so.

I took a look at pigsty, but it hasn't been touched in a few years and I got a
lot of crashes when reading our historical unified files (making me think it's
going to fail then, too)

I'm wondering if someone else has had this issue, and if they have a solution?
My thoughts on a new service would:

- Allow for processing multiple directories/sensors in a single process (maybe
one thread per sensor internally)

- Check and refresh the sid-msg.map when it changes so you don't have to restart
it on rule changes

If you know of something that works but doesn't write to the snort DB schema,
I'm OK with that as we have some internal tools that we are using that are
slowly replacing Snorby.  Is there a patchset to barnyard2 maybe that does
multiple sensors at once, or improves startup time?

-- 
Richard Monk (rmonk at ...4096...) - Security Analyst
Red Hat, Raleigh NC
GPG Key ID: 0x942CDB25

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150804/a5d33c96/attachment.sig>


More information about the Snort-users mailing list