Results 1 to 2 of 2

Thread: Snort/Barnyard

  1. #1
    Senior Member
    Join Date
    Jul 2004


    I'm attempting to familiarize myself with snort in all aspects. I have setup snort with little to no problems and have it running. I've played with different facets of it and it seems like a great piece of software.

    I was reading the docs and came across the barnyard concept. This seems like a very good idea but I seem to be lacking in the understanding just slightly. I believe the concept is to allow multiple sniffers to be used throughout the network and be deposited in a joint location, and to off-load or load-balance some of the burden.

    This is where I run into my question/problem. When using a barnyard, what is snort supposed to do and what is the barnyard supposed to do. I setup the barnyard to read from /var/logs/snort/ and it does that very well. I then configured snort to output to that location. This seems like what I would expect.

    What I don't understand is, should snort still be analyzing the packets against its rules or should the barnyard do that? What I would expect is for snort to intercept all incoming packets like it does and dump those directly into the /var/log/snort directory. This would be the quickest manor allowing the packet processing to come either later or by another process/machine. Then I figured the barnyard would read these packets and run them against the rules.

    Currently I get all the alerts in the database that I'm supposed to get, but I feel as if snort is checking the packets against the rules.

    Is there a switch I should use when running snort? I did a search for barnyard setups and came across little information. The install and usage files that come with barnyard tell how to setup barnyard but not how to reconfigure snort to work with it.

    Any help would be appreciated.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Barnyard is a output system for Snort. Snort creates a special binary output
    format called ``unified''. Barnyard reads this file, and then resends the data
    to a database backend. Unlike the database output plugin, Barnyard is aware of
    a failure to send the alert to the database, and it stops sending alerts. It is
    also aware when the database can accept connections again and will start
    sending the alerts again.

    Read more here:
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts