Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How do I run multiple instances of snort on each firewall network interface?

From: Stanford Prescott <stan.prescott () gmail com>
Date: Fri, 31 Mar 2017 10:39:31 -0500
I've been doing a lot of research about how to run snort inline on a
firewall with multiple network interfaces. But I think I am getting ahead
of myself about how to do this. I think what I need to do is figure out the
basics of just running multiple instances of snort on each interface first.

What I have is our firewall distro with a WAN interface and up to three LAN
interfaces. Currently snort is setup to run and monitor the WAN interface
in IDS mode. We also have the capability of running a separate program
(called Guardian Active Response) that monitors the snort alerts log and
places the IP of the offenders in the alert log into an ipblock file so
that those IP addresses are blocked from the WAN interface.

What I want to do for now is to also monitor the internal LAN interfaces
mainly to detect any outgoing threats from any of the internal networks.

My question for now is, how do I start and monitor the one to three
internal networks? Is it simply a matter of having a separate snort.conf
for each instance of snort? Would I also need a separate log file for the
alerts from each network? Would I need a separate pid file for each snort
demon?

Would it look something like this?

*./snort -c </path/to first/snort.conf> -l
/var/log/snort/snort_eth0/alert.log*

*./snort -c </path/to second/snort.conf> **-l
/var/log/snort/snort_eth1/alert.log*

Would I also need separate rules for each snort instance?

TIA for any help!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: