RE: [Snort-users] Multiple instances of snort on a bonded interface
This is a discussion on RE: [Snort-users] Multiple instances of snort on a bonded interface within the Snort forums, part of the System Security and Security Related category; I don't run multiple instances of snort on the same machine, but I do run snort and tcpdump and ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-11-2004
|
|||
|
|||
RE: [Snort-users] Multiple instances of snort on a bonded interface
I don't run multiple instances of snort on the same machine, but I do run snort and tcpdump and idabench on the same sensor (s) they run fine. Tcpdump captures the packets I want, snort does too.... what you're basically asking is if running applications, putting the NIC in promiscuous mode (in order to sniff), can access pcap and the NIC @ the same time. the answer is yes, most defiintely, on the Linux platform. Now, what you seem to really be asking is how to get snort to dump a binary pcap file. You can tell snort (in snort.conf) to log to mysql and to a binary pcap file, without having to run another instance of snort Corey >From: Miles Stevenson <miles@mstevenson.org> >Reply-To: miles@mstevenson.org >To: snort-users@lists.sourceforge.net >Subject: [Snort-users] Multiple instances of snort on a bonded interface >Date: Wed, 9 Jun 2004 16:31:43 -0400 > >Hello list. Haven't been able to find any help on this, maybe you someone >here >can help me. > >I have a bond0 interface that I have been using for quite a while and works >fine. An instance of snort is running and dumping everything into a MySQL >DB. >I'm trying to set up a 2nd snort process to run on the same bond0 interface >with a slightly different config, so I can dump it to a binary tcpdump >file. > >I know that there shouldn't be any problems running 2 sniffers on the same >real interface (i.e. eth0, fxp0, etc) but has anyone tried this on a Linux >bonded interface? The first snort processes is still seeing traffic and >dumping to MySQL, but the second one isn't seeing anything. Maybe this is a >Linux specific issue? > >I'm running an up to date 2.4 kernel on a RedHat box.... > >TIA >-- >Miles Stevenson >miles@mstevenson.org >PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63 > > >------------------------------------------------------- >This SF.Net email is sponsored by: GNOME Foundation >Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. >GNOME Users and Developers European Conference, 28-30th June in Norway >http://2004/guadec.org >_______________________________________________ >Snort-users mailing list >Snort-users@lists.sourceforge.net >Go to this URL to change user options or unsubscribe: >https://lists.sourceforge.net/lists/...fo/snort-users >Snort-users list archive: >http://www.geocrawler.com/redir-sf.p...st=snort-users __________________________________________________ _______________ Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.cli...ave/direct/01/ ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
