Snort mailing list archives

Re: Snort with two instances

From: Mike Lococo <mikelococo () gmail com>
Date: Fri, 24 Dec 2010 16:32:11 -0500

On 12/22/2010 02:07 PM, J. L. Cabral wrote:

Dear all, I have a Snort 2.9 box with two sniffing interfaces:

<snip>

Is it better to have two different snort.conf files...


As others have responded, you certainly can use separate conf-files.  I
used to do so, but have since merged into a single config-file.  I
specify the few unique config-bits on the command-line in my startup
script.  I prefer a single config-file because it's simpler to manage.

My command-line sets the interface, location of my logs, and location of
my perfmon-stats:
  snort -D -i eth1 -c /etc/snort/snort.conf -l /var/log/snort/eth1 \
  --perfmon-file /var/log/snort/eth1/snort.stats

  snort -D -i eth1 -c /etc/snort/snort.conf -l /var/log/snort/eth2 \
  --perfmon-file /var/log/snort/eth2/snort.stats

All of my snort-instances monitor load-balanced shares of the same
network and run with identical rule-configs.  If your snort-instances
have different home-nets, set that on the command-line with -h.  If you
have different rule-configs for your snorts, you're probably better off
with separate config-files.

In this case, what happen if I download rules with oinkmaster, will they
apply on both snort-eth1.conf and snort-eth2.conf files ???


If you use a single-config file, they'll share the same rule-files and
configuration.

If you use separate-configs, you can choose whether the rule-files and
configuration are shared.  If you point every snort-instance to the same
RULE_PATH, they'll share rule-files.  If you point each snort-instance
to a separate RULE_PATH like:
   var RULE_PATH /etc/snort/rules-eth1 # in snort-eth1.conf
   var RULE_PATH /etc/snort/rules-eth2 # in snort-eth2.conf
Then you must run a separate instance of oinkmaster/pulledpork for each
RULE_PATH, can use a separate oinkmaster/pulledpork-config for each
RULE_PATH, and can control the rules for each snort-instance separately.

Or what is the best way to do I need ???


It's a matter of preference.  I prefer a single-config, but my
snort-instances are identically configured.  Either way is reasonable.

Whether you use one or multiple snort.conf-files, you'll need to run a
separate copy of barnyard2 for each snort-instance.  Set your log-dirs
to be different for each instance (I use /var/log/snort/ethX).

Cheers,
Mike Lococo

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort with two instances J. L. Cabral (Dec 22)
- Re: Snort with two instances Eoin Miller (Dec 22)
- Re: Snort with two instances Castle, Shane (Dec 22)
  - Re: Snort with two instances Lay, James (Dec 22)
- Re: Snort with two instances David C. Maple (Dec 22)
- Re: Snort with two instances Mike Lococo (Dec 24)