Re: How do I run multiple instances of snort on each firewall network interface?

[Stanford Prescott <stan.prescott () gmail com>]

Thanks wkitty42. I have run a couple of dozen searches with those terms and
never came up with those particular links. They are very helpful.

On Fri, Mar 31, 2017 at 10:59 AM, <wkitty42 () windstream net> wrote:

> On 03/31/2017 11:39 AM, Stanford Prescott wrote:
> > My question for now is, how do I start and monitor the one to three
> > internal networks? Is it simply a matter of having a separate snort.conf
> > for each instance of snort?
>
> basically, yes...
>
> > Would I also need a separate log file for the
> > alerts from each network?
>
> yes...
>
> > Would I need a separate pid file for each snort
> > demon?
>
> yes...
>
> > Would it look something like this?
> >
> > *./snort -c </path/to first/snort.conf> -l
> > /var/log/snort/snort_eth0/alert.log*
> >
> > *./snort -c </path/to second/snort.conf> **-l
> > /var/log/snort/snort_eth1/alert.log*
>
> yes... you can just have different conf file names if you want but there
> must be
> separate log directories and PID files... the current problem with the PID
> being
> placed in the log directory actually has a good effect in this case of
> multiple
> snorts on the same box... the "status" page code might get rather whacked,
> though... kinda like it did in the past with another mod that placed its
> PID
> somewhere else with a different format...
>
>
> the following might help, too...
>
> Re: Multiple instances of snort on the same server?
> http://seclists.org/snort/2010/q1/275
>
> Intrusion Detection Systems with Snort: Advanced IDS Techniques
> https://books.google.com/books?id=1WKrLbh23LAC&pg=PA54&;
> lpg=PA54&dq=how+to+run+multiple+snort&source=bl&ots=5pa27cQDez&sig=
> 0oNq3tzgJIsRphd2Eb5VNZ9h3iE&hl=en&sa=X&ved=0ahUKEwjgy8iti4HTAhVixVQKHbd8A
> KMQ6AEISDAJ#v=onepage&q=how%20to%20run%20multiple%20snort&f=false
>
>
> the above two found via https://www.google.com/search?
> q=how+to+run+multiple+snort
>
>
> > Would I also need separate rules for each snort instance?
>
> you don't /need/ separate rules for each, no... but having separate rules
> for
> each helps with customization, though (eg: you might not want a rule
> disabled or
> enabled for all four instances)...
>
> this same thing comes for the conf files, too... sections that are
> identical can
> be shared from another included file... there's numerous ways to go about
> it,
> though... none is really "best" but the main thing to remember is that in
> the
> snort.conf file, everything can be in include files and the snort.conf
> could be
> nothing but includes from top to bottom...
>
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!