Snort mailing list archives

Re: FW: starting multiple instances of snort

From: James <snort () cyclohexane net>
Date: Mon, 7 Dec 2015 08:28:56 +0000

Hi Tony,

Thank you for replying and showing me your config. I'm monitoring a 20Gb
(10Gb each direction) link, so my plan is to load-balance (with pf_ring)
that considerable traffic volume across the 16 snort instances with one
config file. I haven't got to barnyard installed yet, that'll be next if I
get this bit working!

J.

On 4 December 2015 at 16:10, Tony Reusser <treusser () filertel com> wrote:

James,



I am only running two simultaneous instances of snort.  One snort server
with two sniffing interfaces on two separate network segments.



The way I am doing it, I have a separate snort.conf file for each “sensor”
and each has its own output file for barnyard (two instances of barnyard
with two config files running also) and each has its own log file.



Not as complex as your deployment, but here’s how my startup looks:



/usr/local/bin/snort -dD -c /etc/snort/snort_eth1.conf -i eth1

/usr/local/bin/snort -dD -c /etc/snort/snort_eth2.conf -i eth2

#

#

/usr/local/bin/barnyard2 -D -f snort_eth1.u2 -d /var/log/snort/eth1_logs
-c /etc/snort/barnyard2_eth1.conf

/usr/local/bin/barnyard2 -D -f snort_eth2.u2 -d /var/log/snort/eth2_logs
-c /etc/snort/barnyard2_eth2.conf



Hope this helps.



                -tkr



*From:* James [mailto:snort () cyclohexane net]
*Sent:* Friday, December 04, 2015 8:54 AM
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] starting multiple instances of snort



Hi,



I'm attempting to start 16 instances of snort using a for loop, but see
this error repeating in /var/log/messages and hope someone can help as I'm
drawing a blank at the moment.



snort[8537]: FATAL ERROR: Stat check on log dir failed: No such file or
directory.



This is the loop:



for i in `seq 0 1 15`; do

snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
/etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-$i
--daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@
$i,zc:eth5@$i --daq-var clusterid=$i --daq-var bindcpu=$i

done



The referenced log dirs exist and are owned by the snort user, as shown:



[]$ sudo -u snort ls -al /logs/snort/eth4_eth5/

total 72

drwx------ 18 snort snort 4096 Dec  4 10:44 .

drwx------  3 snort snort 4096 Dec  4 10:43 ..

drwx------  2 snort snort 4096 Dec  4 10:50 instance-0

drwx------  2 snort snort 4096 Dec  4 10:50 instance-1

drwx------  2 snort snort 4096 Dec  4 10:44 instance-10

drwx------  2 snort snort 4096 Dec  4 10:44 instance-11

drwx------  2 snort snort 4096 Dec  4 10:53 instance-12

drwx------  2 snort snort 4096 Dec  4 10:54 instance-13

drwx------  2 snort snort 4096 Dec  4 10:54 instance-14

drwx------  2 snort snort 4096 Dec  4 10:54 instance-15

drwx------  2 snort snort 4096 Dec  4 10:51 instance-2

drwx------  2 snort snort 4096 Dec  4 10:51 instance-3

drwx------  2 snort snort 4096 Dec  4 10:51 instance-4

drwx------  2 snort snort 4096 Dec  4 10:52 instance-5

drwx------  2 snort snort 4096 Dec  4 10:52 instance-6

drwx------  2 snort snort 4096 Dec  4 10:52 instance-7

drwx------  2 snort snort 4096 Dec  4 10:44 instance-8

drwx------  2 snort snort 4096 Dec  4 10:44 instance-9



Any help is much appreciated.



J.


------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple
OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

starting multiple instances of snort James (Dec 04)
- Re: starting multiple instances of snort Y M (Dec 04)
  - Re: starting multiple instances of snort James (Dec 07)
    - Re: starting multiple instances of snort Jack Pepper (Dec 07)
- Re: starting multiple instances of snort James (Dec 07)
- <Possible follow-ups>
- FW: starting multiple instances of snort Tony Reusser (Dec 04)
  - Re: FW: starting multiple instances of snort James (Dec 07)