Snort mailing list archives
Re: Snort with two instances
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Wed, 22 Dec 2010 12:40:15 -0700
Start off with conf files that have the necessary things unique to the sensor and then include your main snort.conf, e.g.: snort-eth2.conf: -------------------------------------------------------- config logdir: /var/snort/spool-eth2 config daemon config alert_with_interface_name preprocessor perfmonitor: time 300 file /var/snort/spool-eth2/snort.stats pktcnt 10000 include /etc/snort/snort.conf -------------------------------------------------------- -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: J. L. Cabral [mailto:jelocabral () gmail com] Sent: Wednesday, December 22, 2010 12:07 To: snort-users () lists sourceforge net Subject: [Snort-users] Snort with two instances Dear all, I have a Snort 2.9 box with two sniffing interfaces: 1) eth1 sniff DMZ traffic --> in snort.conf HOME_NET = 172.18.10.0/24 2) eth2 sniff LAN traffic --> in snort.conf HOME_NET = 10.10.0.0/16 Is it better to have two different snort.conf files, for example: snort-eth1.conf snort-eth2.conf and run two snort instanes like these: snort -D -u snort -g snort -c /snort/etc/snort-eth1.conf -i eth1 snort -D -u snort -g snort -c /snort/etc/snort-eth2.conf -i eth2 In this case, what happen if I download rules with oinkmaster, will they apply on both snort-eth1.conf and snort-eth2.conf files ??? Or what is the best way to do I need ??? Really thanks, JeLo ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with two instances J. L. Cabral (Dec 22)
- Re: Snort with two instances Eoin Miller (Dec 22)
- Re: Snort with two instances Castle, Shane (Dec 22)
- Re: Snort with two instances Lay, James (Dec 22)
- Re: Snort with two instances David C. Maple (Dec 22)
- Re: Snort with two instances Mike Lococo (Dec 24)