Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple Snort Instances

From: Erek Adams <erek () snort org>
Date: Thu, 27 Feb 2003 15:10:56 -0500 (EST)
On Thu, 27 Feb 2003, Demetri Mouratis wrote:


I have been investigating a rather strange problem with running multiple
instances of snort on the same interface.  The system is a Red Hat 7.3 box
running snort 1.9 compiled with postgres support.  Libpcap is
libpcap-2002.09.09. The interface is eth1, brought up without an IP and
connected to a monitoring port on a switch.

When I run only one instance of snort, it sees all the traffic for the
whole switch.  However, when I run two instances of snort like so:

# snort -dev -i eth1
# snort -dev -i eth1

The snort instances no longer see any TCP traffic, only UDP and ARP
traffic.

When I kill the second instance, all traffic is seen again by instance 1.
When I fire up a third instance, all traffic is seen by all instances.

Does this make any sense to anyone?


Yep.

Linux uses a flag for promisc mode.  It's basically 'on' or 'off'.  When
you run it twice, it turns it off.  The third time, it's on.  The fourth
time it's off again....

Simply issue an 'ifconfig eth1 promisc' after starting the second.  Or
start snort with the '-p' switch.  That should fix you.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: