Snort mailing list archives
RE: Multiple Snort Instances
From: "McPheeters, Scott" <smcpheeters () fnms-indy com>
Date: Thu, 27 Feb 2003 16:01:54 -0500
I monitor 10 zones on 2 physical boxes that have 6 nics in them. I run an instance of snort for each nic. Scott -----Original Message----- From: Mike Koponick [mailto:mike () redhawk info] Sent: Thursday, February 27, 2003 3:41 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Multiple Snort Instances Maybe I'm being brain-dead today (please be nice) but why would someone want to run multiple instances of snort? Mike (Too much beer last night) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Demetri Mouratis Sent: Thursday, February 27, 2003 11:53 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Multiple Snort Instances I have been investigating a rather strange problem with running multiple instances of snort on the same interface. The system is a Red Hat 7.3 box running snort 1.9 compiled with postgres support. Libpcap is libpcap-2002.09.09. The interface is eth1, brought up without an IP and connected to a monitoring port on a switch. When I run only one instance of snort, it sees all the traffic for the whole switch. However, when I run two instances of snort like so: # snort -dev -i eth1 # snort -dev -i eth1 The snort instances no longer see any TCP traffic, only UDP and ARP traffic. When I kill the second instance, all traffic is seen again by instance 1. When I fire up a third instance, all traffic is seen by all instances. Does this make any sense to anyone? --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple Snort Instances Demetri Mouratis (Feb 27)
- Re: Multiple Snort Instances Erek Adams (Feb 27)
- RE: Multiple Snort Instances Mike Koponick (Feb 27)
- RE: Multiple Snort Instances Erek Adams (Feb 27)
- <Possible follow-ups>
- RE: Multiple Snort Instances Eric Joe (Feb 27)
- RE: Multiple Snort Instances McPheeters, Scott (Feb 27)
- RE: Multiple Snort Instances Williams Jon (Feb 28)
- RE: Multiple Snort Instances Demetri Mouratis (Feb 28)