Adding Sensors
jbc22 edited this page Mar 15, 2012
·
2 revisions
Adding a sensor is as simple as standing up a new snort instance to log to the database. Here is the flow of an alert: Snort -> snort.log -> barnyard2 -> database
In the snort.conf, there should be a line that says you want to log to a local file in unified2 format like: output log_unified: filename snort.log, limit 128
Then barnyard2 needs to know what unified2 file you're using and where it's at: /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log
Barnyard2 should also know the details of your database, and this is specified in barnyard2.conf: output database: log, mysql, dbname=snorby user=snort password=test