Snort mailing list archives
Re: Multiple Snort Instances
From: Erek Adams <erek () snort org>
Date: Thu, 27 Feb 2003 15:10:56 -0500 (EST)
On Thu, 27 Feb 2003, Demetri Mouratis wrote:
I have been investigating a rather strange problem with running multiple instances of snort on the same interface. The system is a Red Hat 7.3 box running snort 1.9 compiled with postgres support. Libpcap is libpcap-2002.09.09. The interface is eth1, brought up without an IP and connected to a monitoring port on a switch. When I run only one instance of snort, it sees all the traffic for the whole switch. However, when I run two instances of snort like so: # snort -dev -i eth1 # snort -dev -i eth1 The snort instances no longer see any TCP traffic, only UDP and ARP traffic. When I kill the second instance, all traffic is seen again by instance 1. When I fire up a third instance, all traffic is seen by all instances. Does this make any sense to anyone?
Yep. Linux uses a flag for promisc mode. It's basically 'on' or 'off'. When you run it twice, it turns it off. The third time, it's on. The fourth time it's off again.... Simply issue an 'ifconfig eth1 promisc' after starting the second. Or start snort with the '-p' switch. That should fix you. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple Snort Instances Demetri Mouratis (Feb 27)
- Re: Multiple Snort Instances Erek Adams (Feb 27)
- RE: Multiple Snort Instances Mike Koponick (Feb 27)
- RE: Multiple Snort Instances Erek Adams (Feb 27)
- <Possible follow-ups>
- RE: Multiple Snort Instances Eric Joe (Feb 27)
- RE: Multiple Snort Instances McPheeters, Scott (Feb 27)
- RE: Multiple Snort Instances Williams Jon (Feb 28)
- RE: Multiple Snort Instances Demetri Mouratis (Feb 28)