Home page logo
/

snort logo Snort mailing list archives

Re: Barnyard2 and multiple sensors
From: Jim Hranicky <jfh () ufl edu>
Date: Thu, 28 Oct 2010 23:59:33 -0400

On Fri, 29 Oct 2010 16:39:55 +1300
Russell Fulton <r.fulton () auckland ac nz> wrote:

I have poked though the source and played with putting the filters on the command line but am
really none the wiser -- anything I put on the commandline seems to be ignored completly.

From the source I think barnyard is supposed to take a filter on the commandline and us it to
select sid but it still writes the pid file as barnyard2_<int>.pid so this will fail ???

Russell (the confused! -- so what is new:)

Use the -i option: 

  USAGE: barnyard2 [-options] <filter options>
  Gernal (sic) Options:
         [..]
        -i <if>    Define the interface <if>. For logging purposes only

I'm using 

  -i eth2.<num> 

as shown in my previous message. This gives the following sensor table: 

    mysql> select * from sensor where last_cid > 0 and not hostname like '%NULL' order by interface;
    +-----+-----------------+-----------+--------+--------+----------+----------+
    | sid | hostname        | interface | filter | detail | encoding | last_cid |
    +-----+-----------------+-----------+--------+--------+----------+----------+
    |   3 | sensor:eth2.1 | eth2.1    | NULL   |      1 |        0 |  2787507 |
    |   5 | sensor:eth2.2 | eth2.2    | NULL   |      1 |        0 |     7302 |
    |   4 | sensor:eth2.3 | eth2.3    | NULL   |      1 |        0 |  1882146 |
    |  11 | sensor:eth2.4 | eth2.4    | NULL   |      1 |        0 |  1254538 |
    |   9 | sensor:eth2.5 | eth2.5    | NULL   |      1 |        0 |   959531 |
    |   7 | sensor:eth2.6 | eth2.6    | NULL   |      1 |        0 |   853294 |
    |   8 | sensor:eth2.7 | eth2.7    | NULL   |      1 |        0 |   626225 |
    |  10 | sensor:eth2.8 | eth2.8    | NULL   |      1 |        0 |   138331 |
    +-----+-----------------+-----------+--------+--------+----------+----------+

--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]