Snort mailing list archives

Running snort and barnyard with 3 sniffing interfaces

From: ccie 6862 <ccie6862 () yahoo com>
Date: Thu, 29 Apr 2010 21:10:09 -0700 (PDT)

I need a sanity check here, as I'm having a little problem with barnyard. I have a CentOS 5 system with the most recent 
version of snort and barnyard. The system has 4 interfaces: one is the management interface while the other 3 are the 
sniffing interfaces with no IP and SPANed on a Cisco switch on 3 different VLANs. Snort on each of the different 
sniffing interfaces has a different start up script and consequently generates different snort.alert and snort.log 
files. This all seems to be working correctly.

When I set up barnyard, I've done something similar: there are three different instances of barnyard for each log pair, 
and consequently each runs with a different waldo, pid file, and configuration configured. They all have "-d 
/var/log/snort -f snort.log" configured. 

Here's the problem. I get a fair amount of hits on the public snort sniffing interface; however, barnyard doesn't add 
anything to the dump.log file. The other instances of barnyard for the other interfaces appear to dump info into the 
dump.log file. 

This may be of interest, but does anyone see anything I've done wrong? 

root      9536 18.8  3.6 226044 145480 ?       Ss   22:44   4:49 /usr/local/bin/snort1 -i eth1 -I -c 
/etc/snort/snort1.conf -D
root      9557  0.0  0.1  49524  4468 pts/1    S    22:44   0:00 /usr/local/bin/barnyard1 -c /etc/snort/barnyard1.conf 
-g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard1.waldo -D 
-X /var/run/barnyard1.pid
root      9576  0.2  2.2 177744 90368 ?        Ss   22:44   0:03 /usr/local/bin/snort2 -i eth2 -I -c 
/etc/snort/snort2.conf -D
root      9599  0.0  0.1  49524  4468 pts/1    S    22:45   0:00 /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf 
-g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D 
-X /var/run/barnyard2.pid
root      9619  0.2  2.2 177740 90360 ?        Ss   22:45   0:03 /usr/local/bin/snort3 -i eth3 -I -c 
/etc/snort/snort3.conf -D
root      9640  0.0  0.1  49524  4468 pts/1    S    22:46   0:00 /usr/local/bin/barnyard3 -c /etc/snort/barnyard3.conf 
-g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard3.waldo -D 
-X /var/run/barnyard3.pid


Thank you.




      

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Running snort and barnyard with 3 sniffing interfaces ccie 6862 (Apr 29)
- Re: Running snort and barnyard with 3 sniffing interfaces Eoin Miller (Apr 29)
  - Re: Running snort and barnyard with 3 sniffing interfaces Joel Esler (Apr 29)