Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Multiple instances of snort -G option

From: "Tony Reusser" <treusser () filertel com>
Date: Mon, 14 Jul 2014 12:09:14 -0600
I also run multiple instances of Snort on one box.  However, the reason I’m doing it is to have two distinct sensors.  
My “sensors” are just two GigE interfaces on the box.  For each one I’m running a separate instance of Snort with a 
distinct config file along with two instances of barnyard.

 

I don’t bother with the ‘-G’ option.  My startup commands just reflect each conf file and I use the ‘-i’ option for 
each interface.  Examples follow:

 

/usr/local/bin/snort –dD –c /etc/snort/snort_eth0.conf –i eth0

/usr/local/bin/snort –dD –c /etc/snort/snort_eth1.conf –i eth1

#

/usr/local/bin/barnyard2 –D –f snort_eth0.u2 –d /var/log/snort/eth0_logs –c /etc/snort/barnyard2_eth0.conf

/usr/local/bin/barnyard2 –D –f snort_eth1.u2 –d /var/log/snort/eth1_logs –c /etc/snort/barnyard2_eth1.conf

 

This doesn’t really apply to your situation as it seems you want to run two instances of snort on one interface using 
one config file.  But this is what I’ve figured out FWIW.

 

Tony Reusser

Filer Mutual Telephone Co.

 

From: Robert Millott [mailto:robm () millottandassociates com] 
Sent: Monday, July 14, 2014 8:37 AM
To: snort-users
Subject: [Snort-users] Multiple instances of snort -G option

 

I am running two instances of snort on one machine, to handle the traffic load.  I have split the traffic using BPF 
Filters, so one instance see just web traffic, while the second instance handles everything else.  I am running snort 
2.9.6 on a Gentoo 3.14.4 host

  I have read in the snort manual about using the -G multiple instance identifier.  I added this to my command line 
when starting up snort, using "-G 1" on the first instance and "-G 2" on the second instance. Snort starts up and run 
just fine, but I don't see anything different in my output.  I am logging to /var/log/messages and I don't see any "1" 
or "2" added in.  I compared snort output with the -G switch to snort output without the -G output and I don't see a 
difference.

 

Anyone out there using this option?  If so, where does that instance identifier show up?  

 

Thanx


 

-- 
Robert Millott
President, Millott and Associates
(443) 255-3588

Attachment: ATT00077.txt
Description:

Attachment: ATT00080.txt
Description: 

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck&#174;
Code Sight&#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: