Snort mailing list archives

Re: windows 2k single pc with multiple snort interface with portscan log ?

From: Rich Adamson <radamson () routers com>
Date: Fri, 8 Jul 2005 09:25:26 -0600

I have one box with 2 snort interfaces running mysql and base

c:\ids2\snort-1\
c:\ids2\snort-2

in both snort and base i have the log dir set to c:\ids2\snort-1\log where portscan.log and

alert.ids files located


in the base setup in the base_conf.php file, it wants the path to the portscan.log


Now my ? is, if i bring up another snort interface, do i add the c:\ids2\snort-1\log to the

snort.conf where both snorts will add to this file?

If not, what do i need to do for multiple snorts on this log file


The easiest way to do this is to copy snort.exe to snort2.exe (as
you will need to run two occurances of snort). The snort.conf with
snort2.conf, directories for rules/ and rules2/, directories for
log/ and log2, etc.

Start one occurance like this:
E:\Snort-v2-3\bin\snort.exe -c "E:\snort-v2-3\etc\snort.conf" -l "e:\snort-v2-3\Log" -A full -i 
2 -d -e -X -s

and the second occurance like this:
E:\Snort-v2-3\bin\snort2.exe -c "E:\snort-v2-3\etc\snort2.conf" -l "e:\snort-v2-3\Log2" -A full 
-i 3 -d -e -X -s

(Note: look very closely at the differences in those two startups.)

If you want to run two occurances of snort "as a service", then you'll
need some additional software that enables that which also requires
some hand editing of the registry. I think the winsort.com site
discusses this in more detail, but haven't been there for a while.

Then in your base_conf.php you can point to the different directories
to achieve the objecitve.




-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

windows 2k single pc with multiple snort interface with portscan log ? Turnquist,Wayne (Jul 08)
- Re: windows 2k single pc with multiple snort interface with portscan log ? Rich Adamson (Jul 08)