Home page logo
/

snort logo Snort mailing list archives

Re: Snort with two instances
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 22 Dec 2010 19:33:07 +0000

On 12/22/2010 7:07 PM, J. L. Cabral wrote:
Dear all, I have a Snort 2.9 box with two sniffing interfaces:

1) eth1 sniff DMZ traffic --> in snort.conf HOME_NET = 172.18.10.0/24
2) eth2 sniff LAN traffic --> in snort.conf HOME_NET = 10.10.0.0/16

Is it better to have two different snort.conf files, for example:

snort-eth1.conf
snort-eth2.conf

and run two snort instanes like these:

snort -D -u snort -g snort -c /snort/etc/snort-eth1.conf -i eth1
snort -D -u snort -g snort -c /snort/etc/snort-eth2.conf -i eth2

In this case, what happen if I download rules with oinkmaster, will they
apply on both snort-eth1.conf and snort-eth2.conf files ???

Or what is the best way to do I need ???

Really thanks,

JeLo

Here is what we do if we applied it to your type setup:

1) Have a master /etc/snort/snort.conf that has everything you want in
it except the interface and home net defined.

2) Have a /etc/snort/snort-eth1.conf that looks like this:

config interface: eth1
HOME_NET = 172.18.10.0/24
include /etc/snort/snort.conf

3) Have a /etc/snort/snort-eth2.conf that looks like this:

config interface: eth2
HOME_NET = 10.10.0.0/16
include /etc/snort/snort.conf


This way the snort-eth1.conf and snort-eth2.conf pickup all the changes
you make to your master snort.conf. However, you may really want to do a
bunch of additional tuning to customize the conf files (and rules they
use) to be tuned to each network. If not though, this is a real easy way
to just have the few options you need for various instances to be setup.

-- Eoin



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]