Snort mailing list archives
Single Snort instance with multiple configurations (output)
From: Jukka Juslin <jtjuslin () hutcs cs hut fi>
Date: Tue, 30 Sep 2003 15:47:32 +0300 (EEST)
Dear all, Slightly related to the message below from Frank Knobbe, I would like to know is is possible to start one instance of Snort with multiple configurations (and therefore probably multiple output places)? I/we are interested in having separate output for inbound and outbound alerts (to be able to first consider the inbound alerts and automatically update the outbound). We wouldn't like to have 2 or more Snort instances running, becaus ein that case they will naturally fight for common resources (reading from the network interface etc). So, can somebody possibly help and tell if multiple configurations are possible? Thanks, Jukka From: Frank Knobbe (FKnobbeKnobbeITS.com) Date: Mon Jun 18 2001 - 22:24:21 CDT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uhm, how about running two instances of snort with different configurations? One instance can monitor only the web traffic and alert on exploits, the other can ignore web traffic and you can use your catch-all rule in there. It would be nice to have a rules checking priority system... wasn't there talk about that for 1.8? If not, here's the suggestion :) Until then, running multiple instances will solve the problem. Regards, Frank
-----Original Message----- From: barre [mailto:barrechello.be] Sent: Tuesday, June 18, 2002 2:18 AM To: snort-userslists.sourceforge.net In the following example , I want to protect my dmz and will make a "alert" rule for all traffic from and to my dmz. alert any any any -> any any (msg: \"tcp dmz traffic";) But in this case, alerts will be generated when people access my webserver. So I make this nice pass rule to grant access to my webserver. pass tcp !MY_NET any -> webserver 80 Because this pass rule is applied below the alert rule, I have to use the -o option, to make sure that this previous rule makes an exception to the other rules. But in this scenario, I don't check the content of the pass rule for malicious traffic using the other alert rules. But if I delete the pass rule, it triggers the "catch all other traffic" rule. Therefor: is there an other way to implement a "catch all traffic" rule? Using this rule, you can write rules for all allowed traffic , and alert for all non-defined traffic. All other signatures (http malicious traffic for example) will still be applied to all traffic, even if they are in the pass or catch all rules.
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOy7F5ZytSsEygtEFEQJDqwCgg2DN/16o+EXevnlYm8zS/XfjNY8An3B1 6f1AePgiMsgUDPQRGctPzG9d =cIVQ -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-Swatch, (continued)
- Re: Snort-Swatch Edin Dizdarevic (Sep 23)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 23)
- Re: Snort-Swatch Edin Dizdarevic (Sep 23)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 25)
- Re: Snort-Swatch Sir Fenix (Sep 25)
- Re: Snort-Swatch Edin Dizdarevic (Sep 25)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 25)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 26)
- Re: Snort-Swatch Edin Dizdarevic (Sep 27)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 29)
- Single Snort instance with multiple configurations (output) Jukka Juslin (Sep 30)
- Re: Single Snort instance with multiple configurations (output) Matt Kettler (Sep 30)
- Single Snort instance with multiple configurations (output) Jukka Juslin (Sep 30)