Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How do I run multiple instances of snort on each firewall network interface?

From: wkitty42 () windstream net
Date: Fri, 31 Mar 2017 11:59:46 -0400
On 03/31/2017 11:39 AM, Stanford Prescott wrote:

My question for now is, how do I start and monitor the one to three
internal networks? Is it simply a matter of having a separate snort.conf
for each instance of snort?


basically, yes...


Would I also need a separate log file for the
alerts from each network?


yes...


Would I need a separate pid file for each snort
demon?


yes...



Would it look something like this?

*./snort -c </path/to first/snort.conf> -l
/var/log/snort/snort_eth0/alert.log*

*./snort -c </path/to second/snort.conf> **-l
/var/log/snort/snort_eth1/alert.log*



yes... you can just have different conf file names if you want but there must be 
separate log directories and PID files... the current problem with the PID being 
placed in the log directory actually has a good effect in this case of multiple 
snorts on the same box... the "status" page code might get rather whacked, 
though... kinda like it did in the past with another mod that placed its PID 
somewhere else with a different format...


the following might help, too...

Re: Multiple instances of snort on the same server? 
http://seclists.org/snort/2010/q1/275

Intrusion Detection Systems with Snort: Advanced IDS Techniques 
https://books.google.com/books?id=1WKrLbh23LAC&pg=PA54&lpg=PA54&dq=how+to+run+multiple+snort&source=bl&ots=5pa27cQDez&sig=0oNq3tzgJIsRphd2Eb5VNZ9h3iE&hl=en&sa=X&ved=0ahUKEwjgy8iti4HTAhVixVQKHbd8AKMQ6AEISDAJ#v=onepage&q=how%20to%20run%20multiple%20snort&f=false


the above two found via https://www.google.com/search?q=how+to+run+multiple+snort



Would I also need separate rules for each snort instance?


you don't /need/ separate rules for each, no... but having separate rules for 
each helps with customization, though (eg: you might not want a rule disabled or 
enabled for all four instances)...

this same thing comes for the conf files, too... sections that are identical can 
be shared from another included file... there's numerous ways to go about it, 
though... none is really "best" but the main thing to remember is that in the 
snort.conf file, everything can be in include files and the snort.conf could be 
nothing but includes from top to bottom...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: