Snort mailing list archives
RE: Multiple instances of snort -G option
From: Eugenio Perez <eugenio () redborder org>
Date: Mon, 14 Jul 2014 22:33:04 +0200
Hi Robert. You are looking in the wrong place. 'Snort log file' does not mean the syslog (or stdout) log. Instead, it refers to events logs. For performance reasons, Snort saves it's events in a unified2 file. You tell snoer where to create this file with the flag -l (I can't look at this moment what option is in the config file). You can examine this event log file with the tool u2spewfoo (under tools/ in the source). For example, if we run two snort instances like this: #snort -c /opt/rb/etc/snort/0/snort.conf -l /var/log/snort /0/instance-1 -G 1 #snort -c /opt/rb/etc/snort/0/snort.conf -l /var/log/snort/0/instance-5 -G 5 And we look the events generated (note that last filename number is the file creation timestamp, and is likely another that this one): #u2spewfoo /var/log/snort/0/instance-1/snort.log.1405368748 | head (Event) sensor id: 0 event id: 65537 event second: 1405368748 event microsecond: 864559 # u2spewfoo /var/log/snort/0/instance-5/snort.log.1405368774 | head (Event) sensor id: 0 event id: 327681 event second: 1405368774 event microsecond: 706010 Did you see that? If you look the event id: 65537 == 0x10001 327681 == 0x50001 There is the group id number!! It is also useful with reputation preprocessor. In order to preserve memory, the reputation list is saved once, and shared by all snort instances. The only instance that is allowed to write in the shared memory is the instance '-G 0', and the others only can read. This requires an ./configure flag and more stuff, but I think that it is out of this question scope. Did it solve your question? If not, let me know :)
I am running two instances of snort on one machine, to handle the traffic load. I have split the traffic using BPF Filters, so one instance see just web traffic, while the second instance handles everything else. I am running snort 2.9.6 on a Gentoo 3.14.4 host
I have read in the snort manual about using the -G multiple instance identifier. I added this to my command line when starting up snort, using "-G 1" on the first instance and "-G 2" on the second instance. Snort starts up and run just fine, but I don't see anything different in my output. I am logging to /var/log/messages and I don't see any "1" or "2" added in. I compared snort output with the -G switch to snort output without the -G output and I don't see a difference.
Anyone out there using this option? If so, where does that instance identifier show up?
Thanx
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple instances of snort -G option Robert Millott (Jul 14)
- <Possible follow-ups>
- FW: Multiple instances of snort -G option Tony Reusser (Jul 14)
- RE: Multiple instances of snort -G option Eugenio Perez (Jul 14)
- Re: Multiple instances of snort -G option Scott Schweitzer (Jul 14)