[Snort-users] Multiple snort instance with different rulesets
Marc-Andre Hamelin
mhamelin at ...1801...
Sat Oct 13 23:14:02 EDT 2001
Hi all,
I have a server running snort with multiple interfaces to monitor multiple
networks.
I tried to run multiple snort instance (one for each interface) with a
different ruleset for each, but it seems that all of them are using the same
ruleset (the one loaded by the first snort process started).
I need to do that because each network is different. Some may have local
rules that other don't need, etc...etc
Is it normal, I mean, because of the way snort is designed ?
Is there another way to achieve my goal ?
Any ideas ?
Just a last minute thought as I am writing; could I have to name each
"snort.conf" file with different names (something like snort.conf.eth0,
snort.conf.eth1, etc...) ?
Marc
P.S. in case it could help, here's my startup script :
#!/bin/sh
case "$1" in
start)
/usr/local/bin/snort -c /export/snort/eth0/rules/snort.conf
-d -D -e -i eth0 -l /export/snort/eth0/logs/
/usr/local/bin/snort -c /export/snort/eth1/rules/snort.conf
-d -D -e -i eth1 -l /export/snort/eth1/logs/
/usr/local/bin/snort -c /export/snort/eth2/rules/snort.conf
-d -D -e -i eth2 -l /export/snort/eth2/logs/
/usr/local/bin/snort -c /export/snort/eth3/rules/snort.conf
-d -D -e -i eth3 -l /export/snort/eth3/logs/
;;
stop)
/usr/bin/killall snort
;;
restart)
/usr/bin/killall snort
/usr/local/bin/snort -c /export/snort/eth0/rules/snort.conf
-d -D -e -i eth0 -l /export/snort/eth0/logs/
/usr/local/bin/snort -c /export/snort/eth1/rules/snort.conf
-d -D -e -i eth1 -l /export/snort/eth1/logs/
/usr/local/bin/snort -c /export/snort/eth2/rules/snort.conf
-d -D -e -i eth2 -l /export/snort/eth2/logs/
/usr/local/bin/snort -c /export/snort/eth3/rules/snort.conf
-d -D -e -i eth3 -l /export/snort/eth3/logs/
;;
*)
echo "Usage: /etc/init.d/snortd {start|stop|restart}"
;;
esac
exit 0
More information about the Snort-users
mailing list