Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Multiple Snort Instances

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Fri, 28 Feb 2003 12:30:00 -0600 (CST)

Maybe I'm being brain-dead today (please be nice) but why would someone want
to run multiple instances of snort?


I run one production instance in daemon mode and have it logging to a
remote DB.  In this case, I was on the sensor and needed to look at all
the traffic on-the-fly.  I noticed that when I started my second instance
at the command line, my daemonized instance was not logging anything to
the database and my on-the-fly session was only capturing traffic destined
for the local machine.

The workaround I implemented was to ifconfig the interface in promisc mode
then use the -p option to snort to tell it to leave the interface alone.
This way, multiple snort instances can see all the traffic.

HTH.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: