Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Multiple instances of snort -G option

From: Eugenio Perez <eugenio () redborder org>
Date: Mon, 14 Jul 2014 22:33:04 +0200
Hi Robert.

You are looking in the wrong place. 'Snort log file' does not mean the
syslog (or stdout) log. Instead, it refers to events logs.

For performance reasons, Snort saves it's events in a unified2 file.
You tell snoer where to create this file with the flag -l (I can't
look at this moment what option is in the config file).

You can examine this event log file with the tool u2spewfoo (under
tools/ in the source). For example, if we run two snort instances like
this:

    #snort -c /opt/rb/etc/snort/0/snort.conf -l /var/log/snort
/0/instance-1 -G 1

    #snort -c /opt/rb/etc/snort/0/snort.conf -l /var/log/snort/0/instance-5 -G 5

And we look the events generated (note that last filename number is
the file creation timestamp, and is likely another that this one):

    #u2spewfoo /var/log/snort/0/instance-1/snort.log.1405368748 | head

    (Event)
            sensor id: 0    event id: 65537 event second: 1405368748
     event microsecond: 864559

    # u2spewfoo /var/log/snort/0/instance-5/snort.log.1405368774 | head

    (Event)
            sensor id: 0    event id: 327681        event second:
1405368774        event microsecond: 706010

Did you see that? If you look the event id:
65537 == 0x10001
327681 == 0x50001

There is the group id number!!

It is also useful with reputation preprocessor. In order to preserve
memory, the reputation list is saved once, and shared by all snort
instances. The only instance that is allowed to write in the shared
memory is the instance '-G 0', and the others only can read. This
requires an ./configure flag and more stuff, but I think that it is
out of this question scope.

Did it solve your question? If not, let me know :)


I am running two instances of snort on one machine,
to handle the traffic load.  I have split the traffic
using BPF Filters, so one instance see just web
traffic, while the second instance handles everything
else.  I am running snort 2.9.6 on a Gentoo 3.14.4 host



 I have read in the snort manual about using the -G
multiple instance identifier.  I added this to my
command line when starting up snort, using "-G 1"
on the first instance and "-G 2" on the second
instance. Snort starts up and run just fine, but I
don't see anything different in my output.  I am
logging to /var/log/messages and I don't see any
"1" or "2" added in. I compared snort output with the -G switch
to snort output without the -G output and I don't see a
difference.



Anyone out there using this option?  If so, where does that
instance identifier show up?



Thanx


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: