Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Barnyard vs. Mudpit

From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Thu, 22 Apr 2004 08:09:53 -0400
Hi,
 
Two things off the top of my head.  One I have the duplicate entry error in
ACID using Mudpit.  I didn't know there was the same issue with Barnyard,
but if so it looks like either way you are going to have to deal with it.
It won't affect the DB in any way that I can tell.  It only affects the ACID
cache table. (Someone correct me if I am wrong there.)  Secondly I use
Mudpit and find it works great for me.  I spool out through Mudpit to the
ACID database on a different server as well as to Syslog locally on the
sensor.  I do this through SnortCenter and set up 2 different output options
and have them both setup on the sensor at the same time.  Works very well
for me.  You could do the same in the snort.conf if you didn't want to use
SnortCenter.  Just set up Mudpit to do the DB spool and then set up snort
itself to do the Syslog.  Something like this in snort.conf:
 
#Mudpit Lines
output alert_unified: filename /var/log/snort-eth1/alert.log, limit 128
output log_unified: filename /var/log/snort-eth1/log.log, limit 128
 
#Syslog Lines
output alert_syslog: LOG_LOCAL0 LOG_ALERT 
 

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107

-----Original Message-----
From: jonasb () alum rpi edu [mailto:jonasb () alum rpi edu]
Sent: April 21, 2004 10:38 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Barnyard vs. Mudpit


Hi All -

I've been reading through the list archives to learn more about my output
options, but haven't found a definitive answer yet. I've set up Barnyard to
output to a remote mysql server from my Snort sensor. Everything works fine,
although I am a bit concerned about the duplicate entry issue w/ alert
rules. So, I figured, why not try mudpit. I've read however that some people
weren't really able to capture sessions using stream processing and tag
rules. I'd like to be able to have that functionality - has anyone been able
to get this to work with Mudpit? If not, can you think of any other options?

Also - on my db server, I'm running syslog with swatch on the back-end and
would like close to RT email alerting functionality for alerts. I know that
Barnyard can output to syslog, but what output Mudpit - if so which output
pluging would I use?

Thanks!
B
Previous By Date Next
Previous By Thread Next

Current thread: