[Snort-users] Multiple instances on one FreeBSD system

Chris Green cmg at ...671...
Sat Apr 7 12:01:11 EDT 2001


Tom Sevy <tsevy at ...1701...> writes:

> I currently have multiple instances running on a single (2 x PIII 600, 512m
> ram) system that has four nics.
> 
> If I am only logging to flat files, what is the chance for file contention?
> On just one of the lan segments (Monitoring Nics) I have seen > 35,000,000
> packets in a 24 hour period.

Are you saying that you are logging to the same log files for separate
processes?

If so, an emphatic "DONT DO THAT" is in order.  You'd get burned
sooner or later.

One solution is to log binary on all of them to separate dirs, then
use something like tcpsplice to sort them all together.

Then run a postprocessing snort with the -r switch to regenerate
logfiles how ever you like.

Something like the portscan detection can only be done on the first
set of detection.  
-- 
Chris Green <cmg at ...671...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-users mailing list