Re: Problem with using 2 sensors

[JJC <cummingsj () gmail com>]

You will want each instance of snort writing to unique unified2 files..
maybe unifiedeth1 and unifiedeht2 for example, then you will want an
instance of barnyard PER instance of snort, pointing at each respective
unique unified2 filename pattern...

JJC

On Tue, Sep 27, 2011 at 1:53 PM, Mike Boeckeler <boeckelr () gmail com> wrote:

> Hi everyone,
>
> A few days ago I posted a message about how no matter what I tried, I could
> not get my setup running.  Needless to say my frustration level was off of
> the charts.
>
> Anyway I seem to have crossed most of the hurdles and have gotten almost
> everything working.  I am running Ubuntu 10.04, Snort 2.9.1,
> Snortrules-snapshot-2910, BASE and Barnyard 2.
>
> I have 3 interfaces - eth0 goes to the Internet for updates etc.....eth1 is
> a sensor and it is located on a hub between my dsl modem and router.  eth2
> is also a sensor, and it is located on a SPAN port, monitoring traffic
> inside of my ASA.
>
> BTW I used the Snort/Debian install guide posted on Snort.org for most of
> this install.
>
> If I start up first Snort and then Barnyard2 like you see below, everything
> runs, but BASE only reports alerts on eth2 (inside my network).  Also, it
> only reports that there is 1 interface.
>
> /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1
> &
> /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2
> &
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
> -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \
> -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
> -C /etc/snort/classification.config
>
> Now I know that traffic is getting thru by using Wireshark and tcpdump to
> watch eth1 and eth2 as I try to trigger alerts with nmap.
>
> In fact, if I forget about BASE, Barnyard and Mysql, and run snort like
> this:  "snort -i eth1" in one terminal, and "snort -i eth2" in another
> terminal, both get the alerts that they should.  So the problem must be in
> Mysql, Barnyard2, etc.
>
> I have tried using two different snort.confs - one for the command that
> starts the eth1 instance; and the other for the command that starts the eth2
> instance, but to no avail.
>
> Does anybody have any ideas that might help?  I have emailed Joel off-list
> and he provided some good insights on particular issues, but I still need
> help with the aforementioned problems.
>
> I greatly appreciate any help that you guys can provide.
>
> Thanks!
> Mike
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!