Snort mailing list archives
Re: Snort with two instances
From: Mike Lococo <mikelococo () gmail com>
Date: Fri, 24 Dec 2010 16:32:11 -0500
On 12/22/2010 02:07 PM, J. L. Cabral wrote:
Dear all, I have a Snort 2.9 box with two sniffing interfaces: <snip> Is it better to have two different snort.conf files...
As others have responded, you certainly can use separate conf-files. I used to do so, but have since merged into a single config-file. I specify the few unique config-bits on the command-line in my startup script. I prefer a single config-file because it's simpler to manage. My command-line sets the interface, location of my logs, and location of my perfmon-stats: snort -D -i eth1 -c /etc/snort/snort.conf -l /var/log/snort/eth1 \ --perfmon-file /var/log/snort/eth1/snort.stats snort -D -i eth1 -c /etc/snort/snort.conf -l /var/log/snort/eth2 \ --perfmon-file /var/log/snort/eth2/snort.stats All of my snort-instances monitor load-balanced shares of the same network and run with identical rule-configs. If your snort-instances have different home-nets, set that on the command-line with -h. If you have different rule-configs for your snorts, you're probably better off with separate config-files.
In this case, what happen if I download rules with oinkmaster, will they apply on both snort-eth1.conf and snort-eth2.conf files ???
If you use a single-config file, they'll share the same rule-files and configuration. If you use separate-configs, you can choose whether the rule-files and configuration are shared. If you point every snort-instance to the same RULE_PATH, they'll share rule-files. If you point each snort-instance to a separate RULE_PATH like: var RULE_PATH /etc/snort/rules-eth1 # in snort-eth1.conf var RULE_PATH /etc/snort/rules-eth2 # in snort-eth2.conf Then you must run a separate instance of oinkmaster/pulledpork for each RULE_PATH, can use a separate oinkmaster/pulledpork-config for each RULE_PATH, and can control the rules for each snort-instance separately.
Or what is the best way to do I need ???
It's a matter of preference. I prefer a single-config, but my snort-instances are identically configured. Either way is reasonable. Whether you use one or multiple snort.conf-files, you'll need to run a separate copy of barnyard2 for each snort-instance. Set your log-dirs to be different for each instance (I use /var/log/snort/ethX). Cheers, Mike Lococo ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with two instances J. L. Cabral (Dec 22)
- Re: Snort with two instances Eoin Miller (Dec 22)
- Re: Snort with two instances Castle, Shane (Dec 22)
- Re: Snort with two instances Lay, James (Dec 22)
- Re: Snort with two instances David C. Maple (Dec 22)
- Re: Snort with two instances Mike Lococo (Dec 24)