Snort mailing list archives
Re: Multiple instances of snort on the same server?
From: Seth Art <sethsec () gmail com>
Date: Thu, 4 Feb 2010 17:10:22 -0500
Aloha, Here is an example of 4 snort instances listening on 3 interfaces. You can have a 1 instance to 1 interface mapping like the first two lines, or you can run multiple instances on the same interface like the 3rd and 4th lines directing traffic using BPFs, or a combination of both. snort -i eth1 -c /etc/snort1/snort-eth1.conf <other snort options> snort -i eth2 -c /etc/snort2/snort-eth2.conf <other snort options> snort -i eth3 -c /etc/snort3-1/snort-eth3-1.conf <other snort options> net 10.0.0.0/8 snort -i eth3 -c /etc/snort3-2/snort-eth3-2.conf <other snort options> not net 10.0.0.0/8 You can theoretically share the same snort.conf and rules files, however if you want to have each instance act differently (different policy assigned to each instance), you are best off having a different copy of the rules and the snort.conf for each instance. Just remember that when you update the rules, you need to update them in all locations. Definitely some additional overhead with this setup, but it will allow you to accomplish quite a lot (and improve performance since snort is currently still single threaded). -Seth On Wed, Feb 3, 2010 at 11:24 PM, Chan, Wilson <wchan () honolulu gov> wrote:
Anyone has a HowTo guide on running multiple instances of snort on the same server? I have a new server that has 8 nics and looking to run a few snort instances to make use of the high speed server and dual quad cores. Thanks! Wilson ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple instances of snort on the same server? Chan, Wilson (Feb 03)
- Re: Multiple instances of snort on the same server? Seth Art (Feb 04)
- Re: Multiple instances of snort on the same server? Joel Esler (Feb 04)