RE: [Snort-users] Snort start up on Multiple interface

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C42C95.8620CCF0
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Hi Brian,

The only way that I know of and the way that I use is to use multiple
instances of snort with their own config files. In my opinion this is
actually the best way and gives added benefits when logging to a database
and sniffing multiple segments of a network. I would assume that the 4
interfaces you have are not all sniffing the same segment of your network,
and are on multiple segments of your network.

The real added advantage to this solution is signature tuning. By having
multiple config files you can have multiple signature lists. One thing you
will quickly find is that one signature on one segment of your network will
produce many false positives while on a different segment it will produce
none. By having multiple config files you can tailor each to the segment it
is watching and actually potentially increase the performance of snort by
weeding out the false positives in a more controlled manner.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107




-----Original Message-----
From: Brian Webster [mailto:bwebster@ACDSystems.com]
Sent: April 27, 2004 1:02 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort start up on Multiple interface


Hi. I'm looking for a little "how-to" info to get Snort running on on a 4
port NIC.
It seems as though any attempt to add reference to additional interfaces in
the etc/init.d/argus file are unsuccessful. (I am using the argus
installation on Redhat9.0)
I have tried comma separted values eth0,eth1,eth2,eth3. no luck.
I don't really want to get multiple intances of snort running unless that is
the only way. I'm just trying to get data logged from behind several
switches to one machine. Has anyone got any advise ?

Brian


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

------_=_NextPart_001_01C42C95.8620CCF0
Content-Type: text/html;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2656.60">
<TITLE>RE: [Snort-users] Snort start up on Multiple interface</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Hi Brian,</FONT>
</P>

<P><FONT SIZE=3D2>The only way that I know of and the way that I use is =
to use multiple instances of snort with their own config files.&nbsp; =
In my opinion this is actually the best way and gives added benefits =
when logging to a database and sniffing multiple segments of a =
network.&nbsp; I would assume that the 4 interfaces you have are not =
all sniffing the same segment of your network, and are on multiple =
segments of your network.&nbsp; </FONT></P>

<P><FONT SIZE=3D2>The real added advantage to this solution is =
signature tuning.&nbsp; By having multiple config files you can have =
multiple signature lists.&nbsp; One thing you will quickly find is that =
one signature on one segment of your network will produce many false =
positives while on a different segment it will produce none.&nbsp; By =
having multiple config files you can tailor each to the segment it is =
watching and actually potentially increase the performance of snort by =
weeding out the false positives in a more controlled manner.</FONT></P>

<P><FONT SIZE=3D2>Shawn Truax</FONT>
<BR><FONT SIZE=3D2>Security Specialist</FONT>
<BR><FONT SIZE=3D2>Corporate Security</FONT>
<BR><FONT SIZE=3D2>155 University Ave.</FONT>
<BR><FONT SIZE=3D2>Toronto, Ontario</FONT>
<BR><FONT SIZE=3D2>M5H 3B7</FONT>
<BR><FONT SIZE=3D2>(416)327-1107</FONT>
</P>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Brian Webster [<A =
HREF=3D"mailto:bwebster@ACDSystems.com">mailto:bwe bster@ACDSystems.com</=
A>]</FONT>
<BR><FONT SIZE=3D2>Sent: April 27, 2004 1:02 PM</FONT>
<BR><FONT SIZE=3D2>To: snort-users@lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Snort start up on Multiple =
interface</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Hi. I'm looking for a little &quot;how-to&quot; info =
to get Snort running on on a 4 port NIC. </FONT>
<BR><FONT SIZE=3D2>It seems as though any attempt to add reference to =
additional interfaces in the etc/init.d/argus file are unsuccessful. (I =
am using the argus installation on Redhat9.0)</FONT></P>

<P><FONT SIZE=3D2>I have tried comma separted values =
eth0,eth1,eth2,eth3. no luck.</FONT>
<BR><FONT SIZE=3D2>I don't really want to get multiple intances of =
snort running unless that is the only way. I'm just trying to get data =
logged from behind several switches to one machine. Has anyone got any =
advise ? </FONT></P>

<P><FONT SIZE=3D2>Brian</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>-------------------------------------------------------</FONT>
<BR><FONT SIZE=3D2>This SF.net email is sponsored by: The Robotic =
Monkeys at ThinkGeek</FONT>
<BR><FONT SIZE=3D2>For a limited time only, get FREE Ground shipping on =
all orders of $35</FONT>
<BR><FONT SIZE=3D2>or more. Hurry up and shop folks, this offer expires =
April 30th!</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.thinkgeek.com/freeshipping/?cpg" =
TARGET=3D"_blank">http://www.thinkgeek.com/freeshipping/?cpg</A>=12297</=
FONT>
<BR><FONT =
SIZE=3D2>_________________________________________ ______</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users@lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or =
unsubscribe:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"https://lists.sourceforge.net/lists/listinfo/snort-users" =
TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snort-use=
rs</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C42C95.8620CCF0--



-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users