Snort mailing list archives

Re: Multiple Snort Instances

From: Matt Richard <matt.richard () fandm edu>
Date: Thu, 20 Jan 2005 11:18:43 -0500

I'm just putting together a system with two monitor interfaces.

I've created separate configurations, such as snort-outside andsnort-inside. So for logging, reporting, controlling services, andconfiguration, I have a separate set of configs or scripts for eachinstance.

snort-outside uses /etc/snort-outside.conf and the ruleset from/etc/snort/rules-outside and it's started with the script/etc/rc.d/init.d/snort-outside


etc.

So far this seems to work pretty well.

-Matt

At 8:05 AM -0800 1/20/05, Bob Konigsberg wrote:


Hi all - I've got a bunch of Snort installs where there's a script that runs
at midnight to do the following:
1) Rename the alert file to alert.date (whatever it might be)
2) Restart Snort

This results in multiple instances of snort running, and I build up another
instance per day.

When I run the snort restart (or "snort stop" followed by "snort start")
manually, I never see this behavior.  It only occurs when the script that
does it gets run by crontab.

If I manually do an "/etc/init.d/snort stop" both processes are shut down.
When followed by "/etc/init.d/snort start" then there is, as should be, only
one instance running.

Any ideas?

Thanks all,

Bob Konigsberg
Network Evaluation
(408) 395-3921 (Office)
(408) 839-8464 (Cell)
"The only reason anyone has a job is because someone else has a problem.
What are YOU doing to solve that problem?"





-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Matt Richard
Access and Security Coordinator
Computing Services
Franklin & Marshall College
matt.richard () fandm edu
(717) 291-4157


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Acid/MySQL connection problem Chris Mills (Jan 19)
- Multiple Snort Instances Bob Konigsberg (Jan 20)
  - Re: Multiple Snort Instances Matthew K. Lee (Jan 20)
    - Re: Multiple Snort Instances adelein rodriguez (Jan 23)
  - Re: Multiple Snort Instances Matt Richard (Jan 20)
  - Re: Multiple Snort Instances Matt Kettler (Jan 20)
- <Possible follow-ups>
- RE: Acid/MySQL connection problem Esler, Joel - Contractor (Jan 19)
  - Re: Acid/MySQL connection problem Chris Mills (Jan 19)