Snort mailing list archives
Re: Multiple instances of snort on one box?
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 21 Oct 2004 16:45:28 -0500
--On Thursday, October 21, 2004 02:39:09 PM -0500 Drew Stockman <Drew.Stockman () cibmis com> wrote:
We are trying to consolidate machines and I am being asked if we can put all of the snort sensors on one box. I was just wondering if anyone can point me in the right direction. I believe I have to run seperate instances of Snort listening on different NICs, correct?
No, you can run multiple instances on one NIC.
I'm running two instances of snort, through one NIC, watching two DS3s with approximately 45MB outbound (70MB peaks) and 30MB inbound (50MB peaks) on a Dell box with a 1.7 GHz processor, 1GB of ram and a 1GB NIC. The OS is FreeBSD 4.9 SECURITY.Also, what kind of hardware would it take to replace 3 sensors, each listening to a T-1 connection? Is there any documentation out there on setting up a multiple Snort sensor like this?
The reason I run two processes on the same NIC is because one is a "normal" deployment of snort and the other is a "special" deployment which *only* uses custom rules.
I would assume, in the "normal" setup, you'd want separate NICs because you want to monitor separate segments of the network. The only thing you have to do is keep your conf files separate (unless you want to monitor precisely the same way on all three networks) as well as your startup scripts.
I simlinked snort to "snort_special", created a snort_special.conf file as well as a snort_special startup file. You should also specify the name of the PID file, which you can do using "-R {name}" on the commandline during startup. (E.g. "-R T1-A", "-R T1-B", "-R T1-C".) This will create a pidfile with the name snort_eth0T1-A.pid, for example. Makes it much easier to keep them straight and eliminates confusion when killing a process.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple instances of snort on one box? Drew Stockman (Oct 21)
- Message not available
- Re: Multiple instances of snort on one box? Matt Kettler (Oct 21)
- Re: Multiple instances of snort on one box? Edin Dizdarevic (Oct 22)
- Re: Multiple instances of snort on one box? Edin Dizdarevic (Oct 25)
- Re: Multiple instances of snort on one box? Matt Kettler (Oct 21)
- Message not available
- Re: Multiple instances of snort on one box? Nick Hatch (Oct 21)
- <Possible follow-ups>
- Re: Multiple instances of snort on one box? Paul Schmehl (Oct 21)