Snort mailing list archives
How do I run multiple instances of snort on each firewall network interface?
From: Stanford Prescott <stan.prescott () gmail com>
Date: Fri, 31 Mar 2017 10:39:31 -0500
I've been doing a lot of research about how to run snort inline on a firewall with multiple network interfaces. But I think I am getting ahead of myself about how to do this. I think what I need to do is figure out the basics of just running multiple instances of snort on each interface first. What I have is our firewall distro with a WAN interface and up to three LAN interfaces. Currently snort is setup to run and monitor the WAN interface in IDS mode. We also have the capability of running a separate program (called Guardian Active Response) that monitors the snort alerts log and places the IP of the offenders in the alert log into an ipblock file so that those IP addresses are blocked from the WAN interface. What I want to do for now is to also monitor the internal LAN interfaces mainly to detect any outgoing threats from any of the internal networks. My question for now is, how do I start and monitor the one to three internal networks? Is it simply a matter of having a separate snort.conf for each instance of snort? Would I also need a separate log file for the alerts from each network? Would I need a separate pid file for each snort demon? Would it look something like this? *./snort -c </path/to first/snort.conf> -l /var/log/snort/snort_eth0/alert.log* *./snort -c </path/to second/snort.conf> **-l /var/log/snort/snort_eth1/alert.log* Would I also need separate rules for each snort instance? TIA for any help! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How do I run multiple instances of snort on each firewall network interface? Stanford Prescott (Mar 31)
- Re: How do I run multiple instances of snort on each firewall network interface? wkitty42 (Mar 31)
- Re: How do I run multiple instances of snort on each firewall network interface? Stanford Prescott (Mar 31)
- Re: How do I run multiple instances of snort on each firewall network interface? wkitty42 (Mar 31)