Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort with two instances

From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 22 Dec 2010 12:58:59 -0700
That's what I do on my box:

ps aux

/usr/local/bin/snort -D -i eth1 -c /usr/local/etc/snort/eth1snort.conf
/usr/local/bin/snort -D -i eth2 -c /usr/local/etc/snort/eth2snort.conf 
/usr/local/bin/snort -D -i eth3 -c /usr/local/etc/snort/eth3snort.conf
/usr/local/bin/snort -D -i eth4 -c /usr/local/etc/snort/dslsnort.conf
/usr/local/bin/snort -D -i eth5 -c
/usr/local/etc/snort/internetsnort.conf 
/usr/local/bin/snort -D -i eth6 -c
/usr/local/etc/snort/externalsnort.conf

Each one gets its own conf file, although I've found that for some using
the same threshold file helps.

James 

-----Original Message-----
From: Castle, Shane [mailto:scastle () bouldercounty org] 
Sent: Wednesday, December 22, 2010 12:40 PM
To: J. L. Cabral; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort with two instances

Start off with conf files that have the necessary things unique to the
sensor and then include your main snort.conf, e.g.:

snort-eth2.conf:
--------------------------------------------------------
config logdir: /var/snort/spool-eth2
config daemon
config alert_with_interface_name
preprocessor perfmonitor: time 300 file
/var/snort/spool-eth2/snort.stats pktcnt 10000 include
/etc/snort/snort.conf
--------------------------------------------------------

--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH

-----Original Message-----
From: J. L. Cabral [mailto:jelocabral () gmail com]
Sent: Wednesday, December 22, 2010 12:07
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort with two instances

Dear all, I have a Snort 2.9 box with two sniffing interfaces:

1) eth1 sniff DMZ traffic --> in snort.conf HOME_NET = 172.18.10.0/24
2) eth2 sniff LAN traffic --> in snort.conf HOME_NET = 10.10.0.0/16

Is it better to have two different snort.conf files, for example:

snort-eth1.conf
snort-eth2.conf

and run two snort instanes like these:

snort -D -u snort -g snort -c /snort/etc/snort-eth1.conf -i eth1 snort
-D -u snort -g snort -c /snort/etc/snort-eth2.conf -i eth2

In this case, what happen if I download rules with oinkmaster, will they
apply on both snort-eth1.conf and snort-eth2.conf files ???

Or what is the best way to do I need ???

Really thanks,

JeLo



------------------------------------------------------------------------
------
Learn how Oracle Real Application Clusters (RAC) One Node allows
customers to consolidate database storage, standardize their database
environment, and, should the need arise, upgrade to a full multi-node
Oracle RAC database without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: