Snort mailing list archives
Re: Multiple snorts & Barnyard2
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 21 Jun 2012 20:11:02 -0400
You should look into the afpacket capture method in daq. On Thu, Jun 21, 2012 at 1:25 PM, Naresh Narang < nnarang () guardiananalytics com> wrote:
It's on Solaris 10. Yes currently using -i directive but it starts up two instances. I'll need to check if IPMP can be done on NICs with no IPs. --Naresh -----Original Message----- From: Kungu Panda [mailto:kungupanda () gmail com] Sent: Thursday, June 21, 2012 10:22 AM To: Naresh Narang Cc: snort-users () lists sourceforge net Subject: [Snort-users] Multiple snorts & Barnyard2 linux: yes, look into ifenslave/bonding. windows: i have no idea. Or maybe multiple "-i " nic directives can be specified on the snort commandline, never tried that. KPanda On Thu, Jun 21, 2012 at 5:06 PM, Naresh Narang < nnarang () guardiananalytics com> wrote:Ok case in point. I have to monitor traffic coming in on two NICs. Can Imonitor with one instance running?--Naresh Sent from my iPhone On Jun 21, 2012, at 9:52 AM, "Kungu Panda" <kungupanda () gmail com> wrote:I am using a single instance of snort to write-out multiple unified files and then using multiple barnyard2 instances to send to both syslog and mysql. Basically sending alerts to a prime and backup monitoring stations. No issues or problems; drop two "output unified2: xxx" directives in snort.conf. Not sure why anyone would need multiple instances of snort to achieve the same result. In fact, it would seem to be wildly inefficient to run multiple instances of snort to inspect the same traffic. Of course, you may have systems and cpu's to burn. KPanda. -----Original Message----- From: Peter Bates [mailto:peter.bates () ucl ac uk] Sent: Thursday, June 21, 2012 15:48 To: snort-users () lists sourceforge net Subject: [Snort-users] Multiple snorts & Barnyard2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all I was just wondering if I was missing any tricks here - - and interesting if anyone is doing things differently. I'm spawning multiple Snort processes - with a different - -l to write unified2 output into seperate directories. As a result I'm running multiple Barnyard2 processes, each reading the directories in continuous mode - and writing to DB and Syslog. Is this the optimal way of doing things, or am I missing a crafty command-line option somewhere? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT --------------------------------------------------------------------- --------- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple snorts & Barnyard2 Kungu Panda (Jun 21)
- Re: Multiple snorts & Barnyard2 Naresh Narang (Jun 21)
- Re: Multiple snorts & Barnyard2 Joel Esler (Jun 21)
- Re: Multiple snorts & Barnyard2 Naresh Narang (Jun 21)