Snort mailing list archives

Re: Barnyard2 and multiple sensors

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Fri, 29 Oct 2010 16:39:55 +1300


On 21/10/2010, at 5:18 PM, Joel Esler wrote:

Run two instances of Barnyard as well.



OK, reworked all my scripts to handle multiple instances of barnyard but I have just realised that I can't find anyway 
of telling barnyard2 which sid to use.  Nor does it allow a filter option as barnyard (acid output plugin) did.

So if you are splitting traffic on a single interface between two snort instances how do we configure barnyard2 so that 
it does not trip over itself with respect to sids.

I have poked though the source and played with putting the filters on the command line but am really none the wiser -- 
anything I put on the commandline seems to be ignored completly.

From the source I think barnyard is supposed to take a filter on the commandline and us it to select sid but it still 
writes the pid file as barnyard2_<int>.pid so this will fail ???


Russell (the confused! -- so what is new:)

Joel

On Oct 20, 2010, at 11:40 PM, Russell Fulton wrote:

Hi Folks

I am at the point where I need to have more than one snort instance running on a given sensor so we can take 
advantage of multiple CPUs and thus I will be producing multiple unified2 files on a sensor.  Logically there is 
still just one sensor -- can barnyard2 merge input from more than one input file?  I've googled and rtfm'ed and 
could not find anything that suggested that this is possible.  I hope I missed something :)


--
Joel Esler
302-223-5974



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Barnyard2 and multiple sensors Russell Fulton (Oct 20)
- Re: Barnyard2 and multiple sensors Joel Esler (Oct 20)
  - Re: Barnyard2 and multiple sensors Russell Fulton (Oct 20)
    - Re: Barnyard2 and multiple sensors Jason Haar (Oct 21)
    - Re: Barnyard2 and multiple sensors JJC (Oct 21)
  - Re: Barnyard2 and multiple sensors Russell Fulton (Oct 28)
    - Re: Barnyard2 and multiple sensors Jim Hranicky (Oct 28)
    - Re: Barnyard2 and multiple sensors Mike Lococo (Oct 31)
    - Re: Barnyard2 and multiple sensors Billy Marshall (Nov 02)
- Re: Barnyard2 and multiple sensors Eoin Miller (Oct 21)
- Re: Barnyard2 and multiple sensors Mike Lococo (Oct 21)
  - Re: Barnyard2 and multiple sensors Russell Fulton (Oct 21)
- Re: Barnyard2 and multiple sensors Jun Wan (Oct 27)
  - Re: Barnyard2 and multiple sensors Jim Hranicky (Oct 27)