Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: starting multiple instances of snort

From: "Tony Reusser" <treusser () filertel com>
Date: Fri, 4 Dec 2015 09:10:29 -0700
James,

 

I am only running two simultaneous instances of snort.  One snort server with two sniffing interfaces on two separate 
network segments.

 

The way I am doing it, I have a separate snort.conf file for each “sensor” and each has its own output file for 
barnyard (two instances of barnyard with two config files running also) and each has its own log file.

 

Not as complex as your deployment, but here’s how my startup looks:

 

/usr/local/bin/snort -dD -c /etc/snort/snort_eth1.conf -i eth1

/usr/local/bin/snort -dD -c /etc/snort/snort_eth2.conf -i eth2

#

#

/usr/local/bin/barnyard2 -D -f snort_eth1.u2 -d /var/log/snort/eth1_logs -c /etc/snort/barnyard2_eth1.conf

/usr/local/bin/barnyard2 -D -f snort_eth2.u2 -d /var/log/snort/eth2_logs -c /etc/snort/barnyard2_eth2.conf

 

Hope this helps.

 

                -tkr

 

From: James [mailto:snort () cyclohexane net] 
Sent: Friday, December 04, 2015 8:54 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] starting multiple instances of snort

 

Hi,

 

I'm attempting to start 16 instances of snort using a for loop, but see this error repeating in /var/log/messages and 
hope someone can help as I'm drawing a blank at the moment.

 

snort[8537]: FATAL ERROR: Stat check on log dir failed: No such file or directory.

 

This is the loop:

 

for i in `seq 0 1 15`; do

snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l 
/logs/snort/eth4_eth5/instance-$i --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i 
zc:eth4@$i,zc:eth5@$i --daq-var clusterid=$i --daq-var bindcpu=$i

done

 

The referenced log dirs exist and are owned by the snort user, as shown:

 

[]$ sudo -u snort ls -al /logs/snort/eth4_eth5/

total 72

drwx------ 18 snort snort 4096 Dec  4 10:44 .

drwx------  3 snort snort 4096 Dec  4 10:43 ..

drwx------  2 snort snort 4096 Dec  4 10:50 instance-0

drwx------  2 snort snort 4096 Dec  4 10:50 instance-1

drwx------  2 snort snort 4096 Dec  4 10:44 instance-10

drwx------  2 snort snort 4096 Dec  4 10:44 instance-11

drwx------  2 snort snort 4096 Dec  4 10:53 instance-12

drwx------  2 snort snort 4096 Dec  4 10:54 instance-13

drwx------  2 snort snort 4096 Dec  4 10:54 instance-14

drwx------  2 snort snort 4096 Dec  4 10:54 instance-15

drwx------  2 snort snort 4096 Dec  4 10:51 instance-2

drwx------  2 snort snort 4096 Dec  4 10:51 instance-3

drwx------  2 snort snort 4096 Dec  4 10:51 instance-4

drwx------  2 snort snort 4096 Dec  4 10:52 instance-5

drwx------  2 snort snort 4096 Dec  4 10:52 instance-6

drwx------  2 snort snort 4096 Dec  4 10:52 instance-7

drwx------  2 snort snort 4096 Dec  4 10:44 instance-8

drwx------  2 snort snort 4096 Dec  4 10:44 instance-9

 

Any help is much appreciated.

 

J.

Attachment: ATT00058.txt
Description:

Attachment: ATT00061.txt
Description: 

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: