Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple snort instance with different rulesets

From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Sun, 14 Oct 2001 18:05:32 +1000
Marc-Andre Hamelin wrote:


I tried to run multiple snort instance (one for each interface) with a
different ruleset for each, but it seems that all of them are using the same
ruleset (the one loaded by the first snort process started).


Snort essentially includes it's rules from within snort.conf, or they
may also be defined in snort.conf itself.

My guess is that all your Snort processes are using the same snort.conf
hence the same rules ($HOME_NETs etc, etc).

 

Just a last minute thought as I am writing; could I have to name each
"snort.conf" file with different names (something like snort.conf.eth0,
snort.conf.eth1, etc...) ?


Yes, that was going to be my suggestion.

I dont currently know of a way to have multiple rules and HOME_NETs
apply to specific sensors from within a single snort.conf.



P.S. in case it could help, here's my startup script :


[..snip..]


                /usr/local/bin/snort -c /export/snort/eth0/rules/snort.conf
-d -D -e -i eth0 -l /export/snort/eth0/logs/
                /usr/local/bin/snort -c /export/snort/eth1/rules/snort.conf
-d -D -e -i eth1 -l /export/snort/eth1/logs/
                /usr/local/bin/snort -c /export/snort/eth2/rules/snort.conf
-d -D -e -i eth2 -l /export/snort/eth2/logs/
                /usr/local/bin/snort -c /export/snort/eth3/rules/snort.conf
-d -D -e -i eth3 -l /export/snort/eth3/logs/


[..snip..]


Hrrmm, looking at your script makes me wonder if your snort.conf's are
including a common ruleset.

An idea that just occured to me, you still could use a common ruleset
and unique snort.conf's, simply add a 'pass' rule to the relevant
snort.conf to effectively short-circuit the rule you wish silenced.

Or you could do the reverse and add an 'alert' rule into a specific
snort.conf if you want an alert from that particular Snort instance,
only.

Finally, you could add the rule into your master ruleset for all sensors
to see the rule.

Naturally, they go above any include statements.





Regards,

Chris.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: