Snort mailing list archives

Re: Snort with two instances

From: "David C. Maple" <dmaple () gmti gannett com>
Date: Wed, 22 Dec 2010 14:29:07 -0500

That would depend on the location of your rules files.  If both of your
snort-eth?.conf files point to the same rules directory, yes.  

If you have RULE_PATH defined the same in both files, they are sharing
the same rules.  This would also apply for SO_RULE_PATH and
PREPROC_RULE_PATH, if you have them defined.

Dave

-- 
David C. Maple <dmaple () gmti gannett com>

On Wed, 2010-12-22 at 16:07 -0300, J. L. Cabral wrote:

Dear all, I have a Snort 2.9 box with two sniffing interfaces:

1) eth1 sniff DMZ traffic --> in snort.conf HOME_NET = 172.18.10.0/24
2) eth2 sniff LAN traffic --> in snort.conf HOME_NET = 10.10.0.0/16

Is it better to have two different snort.conf files, for example:

snort-eth1.conf
snort-eth2.conf

and run two snort instanes like these:

snort -D -u snort -g snort -c /snort/etc/snort-eth1.conf -i eth1
snort -D -u snort -g snort -c /snort/etc/snort-eth2.conf -i eth2

In this case, what happen if I download rules with oinkmaster, will
they apply on both snort-eth1.conf and snort-eth2.conf files ???

Or what is the best way to do I need ???

Really thanks,

JeLo

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort with two instances J. L. Cabral (Dec 22)
- Re: Snort with two instances Eoin Miller (Dec 22)
- Re: Snort with two instances Castle, Shane (Dec 22)
  - Re: Snort with two instances Lay, James (Dec 22)
- Re: Snort with two instances David C. Maple (Dec 22)
- Re: Snort with two instances Mike Lococo (Dec 24)