Snort mailing list archives
RE: Multiple instances of snort on a bonded interface
From: "Corey Rock" <snort_sigs () hotmail com>
Date: Thu, 10 Jun 2004 21:51:38 +0000
I don't run multiple instances of snort on the same machine, but I do run snort and tcpdump and idabench on the same sensor (s)
they run fine. Tcpdump captures the packets I want, snort does too....what you're basically asking is if running applications, putting the NIC in promiscuous mode (in order to sniff), can access pcap and the NIC @ the same time.
the answer is yes, most defiintely, on the Linux platform.Now, what you seem to really be asking is how to get snort to dump a binary pcap file. You can tell snort (in snort.conf) to log to mysql and to a binary pcap file, without having to run another instance of snort
Corey
From: Miles Stevenson <miles () mstevenson org> Reply-To: miles () mstevenson org To: snort-users () lists sourceforge net Subject: [Snort-users] Multiple instances of snort on a bonded interface Date: Wed, 9 Jun 2004 16:31:43 -0400Hello list. Haven't been able to find any help on this, maybe you someone herecan help me. I have a bond0 interface that I have been using for quite a while and worksfine. An instance of snort is running and dumping everything into a MySQL DB.I'm trying to set up a 2nd snort process to run on the same bond0 interfacewith a slightly different config, so I can dump it to a binary tcpdump file.I know that there shouldn't be any problems running 2 sniffers on the same real interface (i.e. eth0, fxp0, etc) but has anyone tried this on a Linux bonded interface? The first snort processes is still seeing traffic and dumping to MySQL, but the second one isn't seeing anything. Maybe this is a Linux specific issue? I'm running an up to date 2.4 kernel on a RedHat box.... TIA -- Miles Stevenson miles () mstevenson org PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63 ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple instances of snort on a bonded interface Miles Stevenson (Jun 09)
- <Possible follow-ups>
- RE: Multiple instances of snort on a bonded interface Corey Rock (Jun 11)
- Re: Multiple instances of snort on a bonded interface Miles Stevenson (Jun 11)