[Snort-users] Multiple snort instance with different rulesets
Chris.Keladis at ...2783...
Sun Oct 14 01:08:01 EDT 2001
Marc-Andre Hamelin wrote:
> I tried to run multiple snort instance (one for each interface) with a
> different ruleset for each, but it seems that all of them are using the same
> ruleset (the one loaded by the first snort process started).
Snort essentially includes it's rules from within snort.conf, or they
may also be defined in snort.conf itself.
My guess is that all your Snort processes are using the same snort.conf
hence the same rules ($HOME_NETs etc, etc).
> Just a last minute thought as I am writing; could I have to name each
> "snort.conf" file with different names (something like snort.conf.eth0,
> snort.conf.eth1, etc...) ?
Yes, that was going to be my suggestion.
I dont currently know of a way to have multiple rules and HOME_NETs
apply to specific sensors from within a single snort.conf.
> P.S. in case it could help, here's my startup script :
> /usr/local/bin/snort -c /export/snort/eth0/rules/snort.conf
> -d -D -e -i eth0 -l /export/snort/eth0/logs/
> /usr/local/bin/snort -c /export/snort/eth1/rules/snort.conf
> -d -D -e -i eth1 -l /export/snort/eth1/logs/
> /usr/local/bin/snort -c /export/snort/eth2/rules/snort.conf
> -d -D -e -i eth2 -l /export/snort/eth2/logs/
> /usr/local/bin/snort -c /export/snort/eth3/rules/snort.conf
> -d -D -e -i eth3 -l /export/snort/eth3/logs/
Hrrmm, looking at your script makes me wonder if your snort.conf's are
including a common ruleset.
An idea that just occured to me, you still could use a common ruleset
and unique snort.conf's, simply add a 'pass' rule to the relevant
snort.conf to effectively short-circuit the rule you wish silenced.
Or you could do the reverse and add an 'alert' rule into a specific
snort.conf if you want an alert from that particular Snort instance,
Finally, you could add the rule into your master ruleset for all sensors
to see the rule.
Naturally, they go above any include statements.
More information about the Snort-users