Snort mailing list archives
Re: question about using SNORT to look at multiple NICs on one system
From: "Jacobi, Michael W CIV NSWCCD Philadelphia, 10432" <michael.jacobi1 () navy mil>
Date: Wed, 12 Aug 2015 10:08:09 +0000
Since I didn't do the reconfiguration, I have had to look at this and it appears that the answer to all of your questions is NO. Just by asking these questions you have confirmed my suspicions about how this reconfig was done, and I will have to request changes to the system to fully separate the snort instances on the system. Thanks! Mike Jacobi -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Tuesday, August 11, 2015 2:36 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] question about using SNORT to look at multiple NICs on one system On 08/11/2015 11:45 AM, Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 wrote:
After a reorganization of our snort sensors, we have one system that is looking at traffic on multiple NICs and I seem to be seeing detects on only one of them and I am trying to find why. Before the change, the sensors at these locations were generating alerts. Currently, there are SNORT instances on this system for each of the NICs in question and a quick TCPDUMP shows that all of the interfaces are seeing traffic. Besides having a SNORT instance on this system for each NIC we want to monitor, Is there anything else that I need to do to make this work (we are currently using BARNYARD2 to get the alerts to a central database)?
do you have each snort instance using its own identifier so that its work is separated from the others? do you have each snort sensor using its own directory for its output files? do you have more than one barnyard2 instance running (eg: one for each snort)? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- question about using SNORT to look at multiple NICs on one system Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 (Aug 11)
- Re: question about using SNORT to look at multiple NICs on one system waldo kitty (Aug 11)
- Re: question about using SNORT to look at multiple NICs on one system Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 (Aug 12)
- Re: question about using SNORT to look at multiple NICs on one system waldo kitty (Aug 12)
- Re: question about using SNORT to look at multiple NICs on one system Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 (Aug 12)
- Re: question about using SNORT to look at multiple NICs on one system waldo kitty (Aug 11)