Snort mailing list archives
RE: [Snorting 2 NICs]
From: "K.S.NARAYANAN" <knarayan () mahindrabt com>
Date: Tue, 11 Jun 2002 09:41:01 +0530
I do in this way without any problem :- * I have all my rules @ /etc/snort/rules . * I have 2 snort.conf files o /etc/snortint.conf ( with more local rules ) o /etc/snortext.conf ( with standard snort rules ) * A single snort binary & I call 2 instances of snort like this o Snort -c /etc/snortint.conf -I eth0 o Snort -c /etc/snortext.conf -I eth1 The above method works well . Any comments please ... Regards, Narayan. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of McCammon, Keith Sent: Monday, June 10, 2002 6:39 PM To: mr6re9 () execulink com; snort-users () lists sourceforge net Subject: RE: [Snort-users] [Snorting 2 NICs] You should be able to simply install another Snort instance. Instances can share conf and rules files, but not the binary as far as I am aware. Just do "cp snort snort2" and call snort2 for the second instance. -----Original Message----- From: Gregory D Hough [mailto:mr6re9 () execulink com] Sent: Monday, June 10, 2002 8:47 AM To: snort-users () lists sourceforge net Subject: [Snort-users] [Snorting 2 NICs] Greetings Group, I have Snort running into MySQL. I use ACID to view alerts. Snort works fine when started as: snort -c /usr/local/etc/snort/snort.conf -i eth0 -D but this is my internal interface. When fired up for eth1 (IP address ppp0) I get this in /var/log/messages: WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no Ipv4 address assigned Initializing daemon mode WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no Ipv4 address assigned PID stat checked out ok, PID set to /var/run Writing PID file to "/var/run" Snort initialization completed successfully, Snort running Obviously Snort sees no traffic whatsoever. Is there anyway to initialize Snort with two sensors, eth0 and ppp0? This is on a tutorial HOME_NET, with a Linux gateway machine and two other boxes inside, one Linux and one Win. I'd like to continue monitoring the internal due to the Win box. I have mulled over the excellent documentation for setting the whole thing up, thanks to everyone involved. I just haven't found an answer to this type of setup yet. Thanks for any clues, farmer6re9 PS- Poll Contrib: month/year of capture: 05/21/2002 to 06/10/2002 version of snort: snort-1.8.6 description of rules enabled - default? all? custom (please give details): default sensor environment - what kind/size of organisation, location of sensor etc: home network/3 boxen eth0 before hub on gateway machine inside some kind of firewall (Y/N): Y iptables bandwidth sniffed (ISDN, ADSL, 10, 100, gigabit etc): ADSL duration of sniffing (days): 20 total number of alerts raised: 185 format of alerting - text/fast, text/full (this is the default), tcpdump, database (what type?) etc: default, MySQL-3.23.43-1 payloads captured (Y/N): Y total disk space taken by the alerts (including payloads if captured, database indexes etc): 92.1 KB's _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=dntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list ********************************************************* Disclaimer This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ********************************************************* Visit us at http://www.mahindrabt.com _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Snorting 2 NICs] Gregory D Hough (Jun 10)
- Re: [Snorting 2 NICs] Petr Ruzicka (Jun 10)
- <Possible follow-ups>
- RE: [Snorting 2 NICs] McCammon, Keith (Jun 10)
- RE: [Snorting 2 NICs] K.S.NARAYANAN (Jun 10)
- Re: [Snorting 2 NICs] Gregory D Hough (Jun 11)
- Re: [Snorting 2 NICs] Erek Adams (Jun 11)
- RE: [Snorting 2 NICs] K.S.NARAYANAN (Jun 11)
- Re: [Snorting 2 NICs] Martin Forest (Jun 13)
- RE: [Snorting 2 NICs] K.S.NARAYANAN (Jun 10)
- FW: [Snorting 2 NICs] McCammon, Keith (Jun 10)
- RE: [Snorting 2 NICs] COULOMBE, TROY (Jun 11)