Re: [Snort-users] Barnyard's explained

Hi,

Logging to a binary file is pretty fast, and reduces the overhead in
snort.
Logging to a database directly from snort may cause some troubles.
Snort waits the output of the database plugin to continue the process.
If your database is heavy loaded, it may slow down snort. If your
database shuts down, snort will fall.
When using barnyard, if the database fails, barnyard will fail, but
snort will still logging.
You can use barnyard for continuous processing where each alert
generated by snort in the unified log is processed immediately by
barnyard.
You can use barnyard for post processing the logs where the unified log
will be processed by barnyard when you want.
Wouldn't be nice to have a central database where you can store the
data of all your sensors? You just have to download the unified log of
each sensor and process each one with barnyard, using different
barnyard.conf for each sensor. And use ACID to analise and co-relate the
data.

Regards,
Alejandro Flores

> Can someone explain what the benefit is of using Barnyard?
>
> I understand that the unified output plug in allows Snort to write
> alerts and logs into a single binary file which frees up processing
> from the detection engine (as apposed to writing to a flat file, etc)
> so that Snort runs faster overall. However, Snort does that by
> itself. I'm not clear on what value Barnyard adds to this.
>
> thanks
>


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users