I am trying to avoid logging to a database like the plague (until I can get
more ram and HD space).
So currently I am using barnyard to just create a fast alert file and pcap
dump.
Question: Does the bookmark prevent barnyard from creating a new pcap file,
such as
barnyard.log.2004-10-20@12-13-40
I have an old network tap with split analysizing ports, so I am watching the
ingress on one interface and the egress on the other. When barnyard starts,
it creates the pcap file. I then run pcapmerge on the pcap files from both
interfaces periodically to create the complete picture of the snort alerts.
However, on system reboots, I want to make sure I have scripted the startup
scripts to correctly backup the data files before launching barnyard and
snort.
If you have a good solution for full logging and correlation without a
database, please let me know. I posted last month on snort-users about
snortsnarf and I may try to use this with barnyard and include packet data.
Shirkdog
_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
|
