RE: Snort sensor IDs

["Jeff Dell" <jdell () activeworx com>]

If you are using bpf filters, try adding "ignore_bpf=yes" to your output
database line in your snort.conf. I just checked the docs and it is not
there.. I guess it is currently an undocumented feature...  If your sensor
name keeps changing, you can add the option sensor_name=<blah>. but you can
not have multiple sensors writing to the same database as the same sensor
name, it will have issues.
 
Jeff


  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mitchell,
Jason
Sent: Wednesday, August 18, 2004 7:51 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Snort sensor IDs


I'm left a bit confused over how Snort handles assigning sensor IDs and how
I might be able to control it.  For example, I just changed how Snort runs,
and in doing so, a new sensor ID is created and dumps the data in there,
which makes querying MySql from a front end annoying.
 
Anyone know how to keep Snort to just a single sensor ID regardless of any
changes I might make to the startup options?  Or is there something inherent
that would make that a really bad idea?
 
On the same note, is it possible to dump data from multiple interfaces into
a single "sensor"?  I don't really care which sensor picked up the data as I
can look at source/destination anyway.
 
-Jason

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential,
proprietary, and/or privileged information protected by law. If you are not
the intended recipient, you may not use, copy, or distribute this e-mail
message or its attachments. If you believe you have received this e-mail
message in error, please contact the sender by reply e-mail and destroy all
copies of the original message.