|
Home > Archive > Snort > September 2004 > [Snort-users] Barnyard and Multiple DB Connections
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] Barnyard and Multiple DB Connections
|
|
| Jason Alexander 2004-09-22, 10:25 pm |
| Is is possible to have barnyard output to multiple databases at once. I
would like to have a database that everyone can look at and remove
alerts once they have been process but would like to keep an archive
database of everything that was logged for reference.
Thanks
Jason
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| John Creegan 2004-09-22, 10:25 pm |
| You can do this with just one ACID db, assuming that everyone is looking =
for alerts that do not cross purposes. If not, you could certainly create =
then populate clones of the ACID db and configuration page, point the ACID =
configuration page clones to new db's, then point your browser at the =
clone pages. Still, this seems like a bit more work than it seems you =
need. And, you'd still have to get the archive done before you replicate =
to the clone db's.
Have you considered ACID alert groups?
[vbcol=seagreen]
Is is possible to have barnyard output to multiple databases at once. I=20
would like to have a database that everyone can look at and remove=20
alerts once they have been process but would like to keep an archive=20
database of everything that was logged for reference.
Thanks
Jason
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php=20
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net=20
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists.../snort-users=20
Snort-users list archive:
http://www.geocrawler.com/redir-sf....t=3Dsnort-users
This message (including any attachments) contains confidential
information intended for a specific individual and purpose,
and is protected by law. If you are not the intended recipient,
you should delete this message and are hereby notified that any
disclosure,copying, or distribution of this message, or the taking
of any action based on it, is strictly prohibited.
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Steve Suppe 2004-09-24, 5:46 pm |
| My advice is to have two instances of Barnyard running, each logging to
a separate database. The involves having 2 waldo files (one for each),
so it takes a little tuning but it certainly isn't difficult to do.
Just point them at different files. You can even have it all work in
the Snort init script if you have them point to two different PID files,
and kill them off by referring to each process by it's PID.
On top of that, when I did this, I had a cron script that cleared the
"alerts" database every month, while the "archive" database was never
cleared, so it maintained all the packets it had ever seen.
Hope that was clear,
Steve
Jason Alexander wrote:
> Is is possible to have barnyard output to multiple databases at once. I
> would like to have a database that everyone can look at and remove
> alerts once they have been process but would like to keep an archive
> database of everything that was logged for reference.
>
> Thanks
> Jason
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> ________________________________________
_______
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists...nfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf....ist=snort-users
>
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|