-
Snort/Barnyard
I'm attempting to familiarize myself with snort in all aspects. I have setup snort with little to no problems and have it running. I've played with different facets of it and it seems like a great piece of software.
I was reading the docs and came across the barnyard concept. This seems like a very good idea but I seem to be lacking in the understanding just slightly. I believe the concept is to allow multiple sniffers to be used throughout the network and be deposited in a joint location, and to off-load or load-balance some of the burden.
This is where I run into my question/problem. When using a barnyard, what is snort supposed to do and what is the barnyard supposed to do. I setup the barnyard to read from /var/logs/snort/ and it does that very well. I then configured snort to output to that location. This seems like what I would expect.
What I don't understand is, should snort still be analyzing the packets against its rules or should the barnyard do that? What I would expect is for snort to intercept all incoming packets like it does and dump those directly into the /var/log/snort directory. This would be the quickest manor allowing the packet processing to come either later or by another process/machine. Then I figured the barnyard would read these packets and run them against the rules.
Currently I get all the alerts in the database that I'm supposed to get, but I feel as if snort is checking the packets against the rules.
Is there a switch I should use when running snort? I did a search for barnyard setups and came across little information. The install and usage files that come with barnyard tell how to setup barnyard but not how to reconfigure snort to work with it.
Any help would be appreciated.
-
Barnyard is a output system for Snort. Snort creates a special binary output
format called ``unified''. Barnyard reads this file, and then resends the data
to a database backend. Unlike the database output plugin, Barnyard is aware of
a failure to send the alert to the database, and it stops sending alerts. It is
also aware when the database can accept connections again and will start
sending the alerts again.
Read more here:
http://www.snort.org/docs/FAQ.txt