idea!2004-10-12

2004-10-12
http://www.tcpdump.org/related.html-----<这里有一些相关的工具和论文
                                                               
http://www.tcpdump.org/papers/bpf-usenix93.pdf

How about CIDR and many other concepts

If you want Snort to go fast (like keep up with a 1000 Mbps connect), you need to use unified
logging and a unified log reader such as barnyard. This allows snort to log alerts in a binary
form as fast as possible and have another program performing the slow actions, such as writing
into a database.

http://sguil.sourceforge.net/images/0.4/ssnqry.png

   Barnyard 0.1.0 configuration file
从分析sguil 和 Barnyard 看它们如何对报警信息进行处理。

Barnyard  若干个输出插件，有和snort 一样的输出功能。
              esp. 有个插件能将信息输出到sguil 中去，（分别输出到 sguil server 的相应的7xxx端口
                                                                      和MYSQL中数据库中去）

                  

 current interesting:   snort /Barnyard 怎么将 alert 和普通 的信息分开输出。