Problem with using 2 sensors

[Mike Boeckeler <boeckelr () gmail com>]

Hi everyone,

A few days ago I posted a message about how no matter what I tried, I could
not get my setup running.  Needless to say my frustration level was off of
the charts.

Anyway I seem to have crossed most of the hurdles and have gotten almost
everything working.  I am running Ubuntu 10.04, Snort 2.9.1,
Snortrules-snapshot-2910, BASE and Barnyard 2.

I have 3 interfaces - eth0 goes to the Internet for updates etc.....eth1 is
a sensor and it is located on a hub between my dsl modem and router.  eth2
is also a sensor, and it is located on a SPAN port, monitoring traffic
inside of my ASA.

BTW I used the Snort/Debian install guide posted on Snort.org for most of
this install.

If I start up first Snort and then Barnyard2 like you see below, everything
runs, but BASE only reports alerts on eth2 (inside my network).  Also, it
only reports that there is 1 interface.

/usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1
&
/usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2
&

/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
-d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \
-G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
-C /etc/snort/classification.config

Now I know that traffic is getting thru by using Wireshark and tcpdump to
watch eth1 and eth2 as I try to trigger alerts with nmap.

In fact, if I forget about BASE, Barnyard and Mysql, and run snort like
this:  "snort -i eth1" in one terminal, and "snort -i eth2" in another
terminal, both get the alerts that they should.  So the problem must be in
Mysql, Barnyard2, etc.

I have tried using two different snort.confs - one for the command that
starts the eth1 instance; and the other for the command that starts the eth2
instance, but to no avail.

Does anybody have any ideas that might help?  I have emailed Joel off-list
and he provided some good insights on particular issues, but I still need
help with the aforementioned problems.

I greatly appreciate any help that you guys can provide.

Thanks!
Mike

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!