Snort mailing list archives

RE: Snort running on two interfaces

From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Fri, 19 Mar 2004 09:49:59 +0000



--On 18 March 2004 11:38 -0500 Jason Humes <jhumes () acs on ca> wrote:

I'm running snort on a Knoppix based system, installed from the echelon
(capensis) IDS cd.  What is barnyard/mudpit and why would I want to run
this?

mudpit and barnyard are both shims between snort's unified (raw, binary)logfiles and MySQL. This allows snort to avoid wasting time decodingpackets and handling the database interaction, which should in turn reducethe likelihood of snort dropping packets.

 Thanks


Best Regards,
Alex.


-----Original Message-----
From: AJ Butcher, Information Systems and Computing
[mailto:Alex.Butcher () bristol ac uk]
Sent: Thursday, March 18, 2004 10:01 AM
To: Jason Humes; 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Snort running on two interfaces




--On 18 March 2004 08:58 -0500 Jason Humes <jhumes () acs on ca> wrote:

What is the best way to get snort to run on two interfaces?


Assuming you wish to use barnyard/mudpit eventually, you'll probably want
to have separate processes for each interface, as far as I can see,
unless  you'll guarantee that you'll be using exactly the same config
file for each.

And what would be the best way to configure this to start
automatically when the box boots? Right now, I just took the S20snort
script and kinda just copied the portion of it that starts snort and
copied and pasted it further down in the S20snort script...seems to
work, but must not be the best way.  Also, does anyone know how to add
my default gateway on boot, right now, I've got a line in the S20snort
script which says, "route add default gw 192.0.0.201"...


This will be OS-dependent in terms of how to do it cleanly. Personally, I
modified the supplied initscript and sysconfig file so that multiple
snorts  could be started by using INTERFACE="eth0 eth1" or similar in the
sysconfig  file.

As for the default gateway, setting that up in your snort initscript is
almost certainly the wrong place.

What OS are you using?

thanks

Jason D. Humes


Best Regards,
Alex.




--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort running on two interfaces Jason Humes (Mar 18)
- Re: Snort running on two interfaces neil (Mar 18)
- Re: Snort running on two interfaces AJ Butcher, Information Systems and Computing (Mar 18)
- <Possible follow-ups>
- RE: Snort running on two interfaces Jason Humes (Mar 18)
  - RE: Snort running on two interfaces AJ Butcher, Information Systems and Computing (Mar 19)