Snort mailing list archives
Running two instances of Snort
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Wed, 25 Sep 2002 12:51:55 -0400
Hello, I'm currently running Snort 1.8.7 on RHLinux 7.0. I currently have a very large custom rules file I created that does a lot of content checking, and I'm afraid that since my custom rules file alerts on a large majority of packets, then the other Snort attack rules will not be alerted on (Snort will only alert on one rule per packet as I understand it). As a test I've tried running two instances of Snort on the same box and both appear to work perfectly, catching everything. Rather than creating a separate box, I was thinking of running two instances of Snort on the same box: one just looking for alerts in my custom alerts file (since it is so massive and does a lot of content checking), and one instance of Snort alerting on all of the other standard Snort rules. This way, if a packet were to arrive that matched one of my custom content rules, and at the same time matched a standard Snort attack rule, I would receive a separate alert in each Snort instance' log file. I was wondering if anyone else is doing this type of thing, and any pros and cons you think would apply? Thanks ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Running two instances of Snort Sheahan, Paul (PCLN-NW) (Sep 25)
- Re: Running two instances of Snort hackerwacker (Sep 25)