Snort 2.1 Intrusion Detection, Second Edition
This brand-new edition of the best-selling Snort book covers all the latest features of the version 2.1 upgrade to the Snort product.
TABLE OF CONTENTS Snort 2.1 Intrusion Detection, Second Edition
Deploying Barnyard
Now that we have taught you everything you need to know about running and configuring Barnyard, let s apply that knowledge by deploying Barnyard in a sample scenario. We will start with a relatively simple configuration and then add more capabilities to it in order to address additional needs. We will presume that you already have Snort running and that you have configured both the unified log and unified alert output plug-ins.
Most Barnyard deployments consist of one or more Barnyard processes configured to process all data using the continual-processing mode. Additionally, some deployments also include extra configuration files that are occasionally used to perform additional processing. Our sample deployment will be no different. We are going to start with configuring Barnyard to perform remote syslog alerting. Then we are going to add database support. Next, we will add some configuration files that will allow us to occasionally extract specific data from the unified files. Finally, we will add the configurations necessary to view alerts on the console in real-time.
Remote Syslog Alerting
The first capability our system needs is to be able to send alerts to a remote syslog server. While this could be accomplished by enabling syslog alerting directly in Snort, we want to make use of some of the additional features found in the alert_syslog2 output plug-in in Barnyard. For this output, we will be using a syslog server with the hostname chips. However, this particular syslog server has been configured to listen for syslog messages...
Copyright Syngress Publishing, Inc. 2004 under license agreement with Books24x7
