Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » single machine multiple sensor

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

single machine multiple sensor


Posted by christopherccv on May 06, 2005 00:11:50

is snort alble to fire multiple sensor on single machine?

e.g.

eth0 - eth1 (bridging mode) -> br0 (sensor 1)
eth2 - eth3 (bridging mode) -> br1 (sensor 2)
eth4 - eth5 (bridging mode) -> br2 (sensor 3)

i think vlan each bridge should be alright. but not sure on the multiple sensor.

any idea?

Posted by D4n13L on May 12, 2005 06:32:37

I believe you can start multiple instances of snort with different config files.

Posted by TBoNe on May 17, 2005 12:14:35

Yes you can. How I do mine is by creating diffrent binary files for each instance of snort I want to run IE snort.eth1 snort.eth2 i then create two snort folders each with their own config and rules folders. I then create seperate init scripts to run each instance of snort under a diffrent name so I cam manipulate the process without affecting the other. I can give you more examples if you like.

Posted by jnicholson on June 03, 2005 10:24:37

If each instance of snort doesn't have any differences besides which int it is sniffing then you don't even need different config files or rules folders.

I run two instances, one for each interface on my sniffing box and all I did to start each one differently is specify which int to sniff in the start up command. Both instances of snort use the same rules folder and config files. Specifying the int in the start command overrides the int value in the config file.

Posted by lubo on June 20, 2005 05:08:11

you dont have to have 2 different binaries..
just execute the same one with -i [interface] and there u go..
for textfile logging you should check the sources, but sql logging works fine..
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.