I upgraded to Snort 220.127.116.11_1 on pfsense yesterday. My barnyard syslog output to a Splunk server has not dropped off. I went into the Snort GUI and can’t seem to find where to check these settings, I assume the change log entries have something to do with it:
Should I roll back to the older version to get logs back? Should I give Suricata a swing?
I switched to surricata when I moved to my XG-7100 1U last year.
I found Surricata to be a lot more stable and less buggy. Plus it’s friendlier on memory and CPU too.
Surricata still has those settings for Barnyard and it’s possible that you might be able to keep your original schema/database from your old Snort environment too, but i’ve not had any experience using barnyard so cannot confirm that.
I would say give Surricata a try and it’s possible you might be pleaseantly surprised.
My only gripe with Surricata is that after changing some settings you seem to haveto restart Surricata on the interface for the changes to work. Other than that i’ve found it a lot better than Snort, which is odd considering they are pretty much the same thing.
Installed Suricata, so far so good. It’s log output is similar enough I’m feeding it into the Snort for Splunk app and the fields seem to be getting extracted just fine.