[Snort-users] Snorticus not handling redundant networks

Tom Jacobsen tom at ...1901...
Thu Apr 26 20:27:56 EDT 2001


Snorticus v1.03 document says "Subnets can be 'bound' to any network 
interface which is useful if you run redundant networks and need to monitor 
the same address space on separate feeds.  Well this is the case for me.  I 
have a sensor connected to two switches via two ethernet cards.  The 
address space is the same on each switch, say 192.168.1.0.  The switches 
are used for fail-over.  So I can watch traffic on whichever switch is 
carrying the traffic at the time.  I set Snorticus's network.cfg file to
	192.168.1.0|eth0
	192.168.1.0|eth1

This will result in the following snort commands from hourly_wrapup.sh

snort -A full -c /home/snort/rules/rules.192.168.1.0 -d -D -e -h 
192.168.114.0/24 -i eth0 -l /home/snort/LOGS/apppod1/20010427.00/192.168.114.0

snort -A full -c /home/snort/rules/rules.192.168.1.0 -d -D -e -h 
192.168.114.0/24 -i eth1 -l /home/snort/LOGS/apppod1/20010427.00/192.168.114.0

The interfaces are different, but the log files are the same.  Can two 
snorts write to the same log file?  While traffic should be mainly over one 
switch at a time, I want to make sure I capture everything on both switches 
at the same time.  I think I'll modify Snorticus to account for my 
situation and create separate log files.

Suggestions on how this is best handled?  Has anyone else encountered this, 
and what did you do?

Thanks,
Tom





More information about the Snort-users mailing list