Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Running 2 Bridge sensors on 1 host

From: Thijs Hodiamont <dabutch () dbsec net>
Date: Mon, 14 Oct 2002 11:59:03 +0200

Lo,

This is the situation,

Im running a Compaq Deskpro PIII 500 with 5 nic's to monitor our
DMZ and corporate network. Running OS is Debian Sid.
For this situation i have put in place
this machine with the following config.

Note:   All the NIC's are in the same machine and i apologize
        for my bad drawing skills. :)
                                        
                                        192.168.100.0/24
-------> < eth0 < br_192 > eth1 > <------------
                
                                        10.0.0.0/24
-------> < eth2 < br_10  > eth3 > <------------

                        192.168.8.2
                           eth4 <-------------


As you can see there are 2 bridges,

-       br_10 for the 10.0.0.0/24 DMZ and this is monitors our proxyserver
              and some other services

-       br_192 for our internal webservers, mailservers who communicate via the
        'trusted' ( trused is relative ) line. 

The big picture is this, our users ( consultants etc.. ) use the br_10
as their internet connection, MSN, ICQ, MS IE, Kazaa and all other stuff
go via this bridge so the main function of snort here is to do some
content monitoring. 

The other bridge, br_192 is used by our mailservers and webservers who
have another connection to the outside but are still directly connected
to the net. Main function of this bridge is to detect attacks on those
mission critical machines.

For this i made my snortbox, ive set it up with PostgreSQL and ACID 
which works perfectly for my purpose. Im running it now with the br_10
bridge and it runs very good.

Only the following problem has arisen, i want to run 2 sensors on the 
same box. Ive already made 2 different inetd scripts and 2 different
configs. If i run either of those sensors a different pid file appears
so that should not be the problem. But if i want to run 2 sensors the
first one goes up like a space shuttle but the 2nd one doesnt want to
start. Does anyone have an idea how to run 2 sensors? I can send the 
inetd scripts and the configs if you like but the only things ive
changes are the config files from snort and the inetd files to match
the different config files.

Ive checked the logs of my box but i cant find any usefull information,
any1 got an idea?

Tnx in advance.

Thijs Hodiamont

-- 

=====================
L.M. Hodiamont
ICQ:36514430
dabutch () dbsec net 
=====================





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: