Re: Problem with using 2 sensors

[Joel Esler <jesler () sourcefire com>]

If you run snort with -D, you shouldn't have to background it..  "&".

J

On Sep 27, 2011, at 4:27 PM, Lay, James wrote:

> <snip>
>
> /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1 & 
> /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2 & 
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ 
> -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ 
> -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ 
> -C /etc/snort/classification.config 
>
> <snip>
>
>
> Mike,
> Just like folks are saying, you'll need two separate instances of both snort AND barnyard2 (I thought the same thing 
> when I first started with barnyard...thought "I can run it once and it will read all my u2 files from all my running 
> snort instances"...wrong ;)).  I would copy snort.conf to snort1.conf and snort2.conf, and barnyard2.conf to 
> barnyard21.conf and barnyard22.conf, then change where they log at least where the u2 files are kept for snort, and 
> change to reflect the interface in both barnyard files.
>
> Change in your barnyard2 conf files:
> Barnyard21:   config interface:  eth1
> Barnyard22:   config interface:  eth2
>
> And in your snort conf files:
> Snort1.conf:  output unified2: filename /var/log/snort1/snort1.u2
> Snort2.conf:  output unified2: filename /var/log/snort2/snort2.u2
>
> Then run like so:
>
> /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort1.conf -i eth1 & 
> /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort2.conf -i eth2 &
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard21.conf -d /var/log/snort/snort1 -f snort1.us -w 
> /etc/snort/snort1.waldo 
> -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard22.conf -d /var/log/snort/snort2 -f snort2.us -w 
> /etc/snort/snort2.waldo 
> -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config
>
>
> I've found separating out the .u2 files in different directories to be cleaner (although I have all instances logging 
> to a single all.fast file for easy monitoring).  You can change the names to whatever...I've found naming the 
> interfaces (internal/external) and integrating it into the conf name works well too (intbyard2.conf, intsnort.conf). 
> Hope that helps.
>
> James
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!