Snort mailing list archives
Running 2 Bridge sensors on 1 host
From: Thijs Hodiamont <dabutch () dbsec net>
Date: Mon, 14 Oct 2002 11:59:03 +0200
Lo, This is the situation, Im running a Compaq Deskpro PIII 500 with 5 nic's to monitor our DMZ and corporate network. Running OS is Debian Sid. For this situation i have put in place this machine with the following config. Note: All the NIC's are in the same machine and i apologize for my bad drawing skills. :) 192.168.100.0/24 -------> < eth0 < br_192 > eth1 > <------------ 10.0.0.0/24 -------> < eth2 < br_10 > eth3 > <------------ 192.168.8.2 eth4 <------------- As you can see there are 2 bridges, - br_10 for the 10.0.0.0/24 DMZ and this is monitors our proxyserver and some other services - br_192 for our internal webservers, mailservers who communicate via the 'trusted' ( trused is relative ) line. The big picture is this, our users ( consultants etc.. ) use the br_10 as their internet connection, MSN, ICQ, MS IE, Kazaa and all other stuff go via this bridge so the main function of snort here is to do some content monitoring. The other bridge, br_192 is used by our mailservers and webservers who have another connection to the outside but are still directly connected to the net. Main function of this bridge is to detect attacks on those mission critical machines. For this i made my snortbox, ive set it up with PostgreSQL and ACID which works perfectly for my purpose. Im running it now with the br_10 bridge and it runs very good. Only the following problem has arisen, i want to run 2 sensors on the same box. Ive already made 2 different inetd scripts and 2 different configs. If i run either of those sensors a different pid file appears so that should not be the problem. But if i want to run 2 sensors the first one goes up like a space shuttle but the 2nd one doesnt want to start. Does anyone have an idea how to run 2 sensors? I can send the inetd scripts and the configs if you like but the only things ive changes are the config files from snort and the inetd files to match the different config files. Ive checked the logs of my box but i cant find any usefull information, any1 got an idea? Tnx in advance. Thijs Hodiamont -- ===================== L.M. Hodiamont ICQ:36514430 dabutch () dbsec net ===================== ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Running 2 Bridge sensors on 1 host Thijs Hodiamont (Oct 14)
- Re: Running 2 Bridge sensors on 1 host Erek Adams (Oct 14)