Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Multiple snort instance with different rulesets

From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Mon, 15 Oct 2001 10:57:51 +1000
At 04:33 PM 10/14/01 -0400, Marc-Andre Hamelin wrote:

Hi Marc-Andre,



I really don't know why it work like this. Each process should be completely
independent, with there own memory allocation. Even if the rule files have
the same names, they have their own inodes, they are different files,
furthermore, they are in different directories.


They are separate processes, for all intents and purposes.



Hummm, that just made me think of something, maybe the include directives in
snort.conf should include the full path of the rule files... Something I'll
try next...
Yes, i think this is the crux of your problem more than any shared memory / Snort internal issue. 



I may also try what you suggested (one ruleset, and using pass rules), but I
think the same problem may occur.


If you have 1 ruleset, then the issue would be inherently moot.
If you want to have multiple rulesets, then they need individual names, and you need to tell your snort.conf which ruleset (with an individual name) to load for that instance (and hardcode the paths so there is no confusion). 



I guess I should start to familiarize myself with the inner working of
snort. :-)


As above, i really feel it's a configuration issue more than anything.
Try giving your rules unique filenames and hardcode the path of your include's in snort.conf.eth? to be certain it's loading the ruleset you intend. (ie: /my/snort/rules/policy.rules.eth0)
Also, to avoid confusion, i suggest backing up and cleaning out your Snort output so you don't see old(er) alerts which may miss-lead you into thinking a rule you commented out on a particular sensor is back. 

Hope it's of some help.




Regards,

Chris.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: