Multiple snorts & Barnyard2

[Kungu Panda <kungupanda () gmail com>]

linux:   yes, look into ifenslave/bonding.
windows:   i have no idea.

Or maybe multiple "-i " nic directives can be specified on the snort
commandline, never tried that.

KPanda


On Thu, Jun 21, 2012 at 5:06 PM, Naresh Narang
<nnarang () guardiananalytics com> wrote:
> Ok case in point. I have to monitor traffic coming in on two NICs. Can I monitor with one instance running?
>
>
> --Naresh
> Sent from my iPhone
>
> On Jun 21, 2012, at 9:52 AM, "Kungu Panda" <kungupanda () gmail com> wrote:
>
> > I am using a single instance of snort to write-out multiple unified
> > files and then using multiple barnyard2 instances to send to both
> > syslog and mysql.  Basically sending alerts to a prime and backup
> > monitoring stations.  No issues or problems; drop two "output
> > unified2: xxx" directives in snort.conf.
> >
> > Not sure why anyone would need multiple instances of snort to achieve
> > the same result.  In fact, it would seem to be wildly inefficient to
> > run multiple instances of snort to inspect the same traffic.  Of
> > course, you may have systems and cpu's to burn.
> >
> > KPanda.
> >
> >
> > -----Original Message-----
> > From: Peter Bates [mailto:peter.bates () ucl ac uk]
> > Sent: Thursday, June 21, 2012 15:48
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Multiple snorts & Barnyard2
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Hello all
> >
> > I was just wondering if I was missing any tricks here
> > - - and interesting if anyone is doing things differently.
> >
> > I'm spawning multiple Snort processes - with a different
> > - -l to write unified2 output into seperate directories.
> >
> > As a result I'm running multiple Barnyard2 processes, each reading the
> > directories in continuous mode - and writing to DB and Syslog.
> >
> > Is this the optimal way of doing things, or am I missing a crafty
> > command-line option somewhere?
> >
> > - --
> > Peter Bates
> > Senior Computer Security Officer    Phone: +44(0)2076792049
> > Information Services Division       Internal Ext: 32049
> > University College London
> > London WC1E 6BT
> >
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!