mailing list archives
Re: Snort with two instances
From: Mike Lococo <mikelococo () gmail com>
Date: Fri, 24 Dec 2010 16:32:11 -0500
On 12/22/2010 02:07 PM, J. L. Cabral wrote:
Dear all, I have a Snort 2.9 box with two sniffing interfaces:
Is it better to have two different snort.conf files...
As others have responded, you certainly can use separate conf-files. I
used to do so, but have since merged into a single config-file. I
specify the few unique config-bits on the command-line in my startup
script. I prefer a single config-file because it's simpler to manage.
My command-line sets the interface, location of my logs, and location of
snort -D -i eth1 -c /etc/snort/snort.conf -l /var/log/snort/eth1 \
snort -D -i eth1 -c /etc/snort/snort.conf -l /var/log/snort/eth2 \
All of my snort-instances monitor load-balanced shares of the same
network and run with identical rule-configs. If your snort-instances
have different home-nets, set that on the command-line with -h. If you
have different rule-configs for your snorts, you're probably better off
with separate config-files.
In this case, what happen if I download rules with oinkmaster, will they
apply on both snort-eth1.conf and snort-eth2.conf files ???
If you use a single-config file, they'll share the same rule-files and
If you use separate-configs, you can choose whether the rule-files and
configuration are shared. If you point every snort-instance to the same
RULE_PATH, they'll share rule-files. If you point each snort-instance
to a separate RULE_PATH like:
var RULE_PATH /etc/snort/rules-eth1 # in snort-eth1.conf
var RULE_PATH /etc/snort/rules-eth2 # in snort-eth2.conf
Then you must run a separate instance of oinkmaster/pulledpork for each
RULE_PATH, can use a separate oinkmaster/pulledpork-config for each
RULE_PATH, and can control the rules for each snort-instance separately.
Or what is the best way to do I need ???
It's a matter of preference. I prefer a single-config, but my
snort-instances are identically configured. Either way is reasonable.
Whether you use one or multiple snort.conf-files, you'll need to run a
separate copy of barnyard2 for each snort-instance. Set your log-dirs
to be different for each instance (I use /var/log/snort/ethX).
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive: