Re: question about using SNORT to look at multiple NICs on one system

[waldo kitty <wkitty42 () windstream net>]

On 08/11/2015 11:45 AM, Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 wrote:
> After a reorganization of our snort sensors, we have one system that is
> looking at traffic on multiple NICs and I seem to be seeing detects on only
> one of them and I am trying to find why.  Before the change, the sensors at
> these locations were generating alerts.  Currently, there are SNORT instances
> on this system for each of the NICs in question and a quick TCPDUMP shows
> that all of the interfaces are seeing traffic.  Besides having a SNORT
> instance on this system for each NIC we want to monitor, Is there anything
> else that I need to do to make this work (we are currently using BARNYARD2 to
> get the alerts to a central database)?

do you have each snort instance using its own identifier so that its work is 
separated from the others?

do you have each snort sensor using its own directory for its output files?

do you have more than one barnyard2 instance running (eg: one for each snort)?

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!