Running two instances of Snort

["Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>]

Hello,

I'm currently running Snort 1.8.7 on RHLinux 7.0. I currently have a very
large custom rules file I created that does a lot of content checking, and
I'm afraid that since my custom rules file alerts on a large majority of
packets, then the other Snort attack rules will not be alerted on (Snort
will only alert on one rule per packet as I understand it).

As a test I've tried running two instances of Snort on the same box and both
appear to work perfectly, catching everything. Rather than creating a
separate box, I was thinking of running two instances of Snort on the same
box: one just looking for alerts in my custom alerts file (since it is so
massive and does a lot of content checking), and one instance of Snort
alerting on all of the other standard Snort rules. This way, if a packet
were to arrive that matched one of my custom content rules, and at the same
time matched a standard Snort attack rule, I would receive a separate alert
in each Snort instance' log file.

I was wondering if anyone else is doing this type of thing, and any pros and
cons you think would apply?

Thanks



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users