RE: [Snort-users] Multiple sensors/interfaces, same daemon
This is a discussion on RE: [Snort-users] Multiple sensors/interfaces, same daemon within the Snort forums, part of the System Security and Security Related category; The easiest way to do it is to just run separate processes. /usr/local/bin/snort -c /etc/snort/snort....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-02-2004
|
|||
|
|||
RE: [Snort-users] Multiple sensors/interfaces, same daemon
The easiest way to do it is to just run separate processes.
/usr/local/bin/snort -c /etc/snort/snort.eth0.conf -ieth0 -u snort -g snort -D /usr/local/bin/snort -c /etc/snort/snort.eth1.conf -ieth1 -u snort -g snort -D This way I can keep each sensor running completely separate of the other. If you want them to have them use 1 config just make sure to set HOME_NET to include the networks for both interfaces. var HOME_NET [10.1.1.0/24,24.57.12.0/24] Just remember that unless you specify the interface it will assume "any". I've found its much better to isolate snort as a non-privledged user/group and manage each interface as a separate sensor under separate processes. -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Sergio Caltagirone Sent: Thursday, July 01, 2004 11:00 AM To: Snort-users@lists.sourceforge.net Subject: [Snort-users] Multiple sensors/interfaces, same daemon Hey all, how do i configure a single snort daemon to act as a sensor on two interfaces? When I try '-i any' i pick up alot of traffic from 127.0.0.1 - which I'm guessing is the loopback; however, I get none from eth1 and just fine from eth0. Also, with 2 interfaces, how should the $HOME_NET and $EXTERNAL_NET be set? Thanks, Sergio ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
