Snort mailing list archives

Re: question about using SNORT to look at multiple NICs on one system

From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 12 Aug 2015 16:26:03 -0400

On 08/12/2015 06:08 AM, Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 wrote:

Since I didn't do the reconfiguration, I have had to look at this and it
appears that the answer to all of your questions is NO.  Just by asking these
questions you have confirmed my suspicions about how this reconfig was done,
and I will have to request changes to the system to fully separate the snort
instances on the system.


you should be able to keep them all running as individual processes on the 
single system... the key is to add the identifying portion to the snort 
instances as well as ensuring that they are using different output directories 
or at least different output files...

http://manual.snort.org/node11.html

[quote]
1.9.4 Specifying Multiple-Instance Identifiers

In Snort v2.4, the -G command line option was added that specifies an instance 
identifier for the event logs. This option can be used when running multiple 
instances of snort, either on different CPUs, or on the same CPU but a different 
interface. Each Snort instance will use the value specified to generate unique 
event IDs. Users can specify either a decimal value (-G 1) or hex value preceded 
by 0x (-G 0x11). This is also supported via a long option -logid.
[/quote]

then the trick is to get BY2 to read the different output files and get that 
data into the central database with the identifiers for each snort...

i'm sure there's more information available that i've forgotten... however, a 
trip through some of these results should be beneficial


   https://www.google.com/search?q=multiple+snort+one+machine



-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

question about using SNORT to look at multiple NICs on one system Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 (Aug 11)
- Re: question about using SNORT to look at multiple NICs on one system waldo kitty (Aug 11)
  - Re: question about using SNORT to look at multiple NICs on one system Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 (Aug 12)
    - Re: question about using SNORT to look at multiple NICs on one system waldo kitty (Aug 12)