Re: [Snort-users] windows 2k single pc with multiple snort interface with portscan log ?
This is a discussion on Re: [Snort-users] windows 2k single pc with multiple snort interface with portscan log ? within the Snort forums, part of the System Security and Security Related category; > I have one box with 2 snort interfaces running mysql and base > > c:\ids2\snort-1\ > ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-08-2005
|
|||
|
|||
Re: [Snort-users] windows 2k single pc with multiple snort interface with portscan log ?
> I have one box with 2 snort interfaces running mysql and base
> > c:\ids2\snort-1\ > c:\ids2\snort-2 > > in both snort and base i have the log dir set to c:\ids2\snort-1\log where portscan.log and alert.ids files located > > in the base setup in the base_conf.php file, it wants the path to the portscan.log > > > Now my ? is, if i bring up another snort interface, do i add the c:\ids2\snort-1\log to the snort.conf where both snorts will add to this file? > If not, what do i need to do for multiple snorts on this log file The easiest way to do this is to copy snort.exe to snort2.exe (as you will need to run two occurances of snort). The snort.conf with snort2.conf, directories for rules/ and rules2/, directories for log/ and log2, etc. Start one occurance like this: E:\Snort-v2-3\bin\snort.exe -c "E:\snort-v2-3\etc\snort.conf" -l "e:\snort-v2-3\Log" -A full -i 2 -d -e -X -s and the second occurance like this: E:\Snort-v2-3\bin\snort2.exe -c "E:\snort-v2-3\etc\snort2.conf" -l "e:\snort-v2-3\Log2" -A full -i 3 -d -e -X -s (Note: look very closely at the differences in those two startups.) If you want to run two occurances of snort "as a service", then you'll need some additional software that enables that which also requires some hand editing of the registry. I think the winsort.com site discusses this in more detail, but haven't been there for a while. Then in your base_conf.php you can point to the different directories to achieve the objecitve. ------------------------------------------------------- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
