Snort 2.1 Intrusion Detection, Second Edition
This brand-new edition of the best-selling Snort book covers all the latest features of the version 2.1 upgrade to the Snort product.
TABLE OF CONTENTS Snort 2.1 Intrusion Detection, Second Edition
Using the Continual-Processing Mode
Now that we are experienced in running Barnyard in batch-processing mode, let s see how to run it in continual-processing mode. In continual-processing mode, instead of exiting when it is finished reading a unified file, Barnyard waits either for new events to be written to the current file or for Snort to create a new unified file. Thus, Barnyard continues to process unified events as they occur. Unlike the batch-processing mode where we could tell Barnyard to process a mix of unified alert and log files with a single command, in continual-processing mode, Barnyard will only read one type or the other. In this section, we discuss the basics of running Barnyard in continual-processing mode. After mastering the basics, we will move on to the more advanced topics of enabling bookmark support, archiving processed files, and running multiple Barnyard processes simultaneously.
The Basics of Continual-Processing Mode
To run Barnyard in continual-processing mode we will use the format:
barnyard [OPTIONS]85 -f
Where [OPTIONS]85 are any of the general configuration options, and
Copyright Syngress Publishing, Inc. 2004 under license agreement with Books24x7
