[Snort-users] Multiple snort instance with different rulesets

Marc-Andre Hamelin mhamelin at ...1801...
Sun Oct 14 13:34:02 EDT 2001

>Hrrmm, looking at your script makes me wonder if your snort.conf's are
>including a common ruleset.

You're right. I made a directory structure so that all snort processes are
all independent from each other. They all log in their own log file (and in
the same DB for acid), they all have their own snort.conf file, and they all
have their own ruleset.

But even with that, when starting all the processes, the rules seems all
mixed up. To correct what I said earlier, it's not the ruleset loaded by the
first process that is applied to all, but from my testing, I found that any
of the 4 ruleset can be the one that apply to all processes no matter which
process starts first.

Now I just found a solution to my problem (even if it will be a pain to
update the rules, at least until I make a script); I named each rule files
and snort.conf files with their own name; I added the name of the interface
at the end (e.g. scan.rules.eth1). Now each process are respecting their own

I really don't know why it work like this. Each process should be completely
independent, with there own memory allocation. Even if the rule files have
the same names, they have their own inodes, they are different files,
furthermore, they are in different directories.

Hummm, that just made me think of something, maybe the include directives in
snort.conf should include the full path of the rule files... Something I'll
try next...

I may also try what you suggested (one ruleset, and using pass rules), but I
think the same problem may occur. 

I guess I should start to familiarize myself with the inner working of
snort. :-)


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Chris
Sent: 14 octobre, 2001 04:06
To: Marc-Andre Hamelin
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Multiple snort instance with different

Marc-Andre Hamelin wrote:

> I tried to run multiple snort instance (one for each interface) with a
> different ruleset for each, but it seems that all of them are using the
> ruleset (the one loaded by the first snort process started).

Snort essentially includes it's rules from within snort.conf, or they
may also be defined in snort.conf itself.

My guess is that all your Snort processes are using the same snort.conf
hence the same rules ($HOME_NETs etc, etc).

> Just a last minute thought as I am writing; could I have to name each
> "snort.conf" file with different names (something like snort.conf.eth0,
> snort.conf.eth1, etc...) ?

Yes, that was going to be my suggestion.

I dont currently know of a way to have multiple rules and HOME_NETs
apply to specific sensors from within a single snort.conf.

> P.S. in case it could help, here's my startup script :


>                 /usr/local/bin/snort -c
> -d -D -e -i eth0 -l /export/snort/eth0/logs/
>                 /usr/local/bin/snort -c
> -d -D -e -i eth1 -l /export/snort/eth1/logs/
>                 /usr/local/bin/snort -c
> -d -D -e -i eth2 -l /export/snort/eth2/logs/
>                 /usr/local/bin/snort -c
> -d -D -e -i eth3 -l /export/snort/eth3/logs/


Hrrmm, looking at your script makes me wonder if your snort.conf's are
including a common ruleset.

An idea that just occured to me, you still could use a common ruleset
and unique snort.conf's, simply add a 'pass' rule to the relevant
snort.conf to effectively short-circuit the rule you wish silenced.

Or you could do the reverse and add an 'alert' rule into a specific
snort.conf if you want an alert from that particular Snort instance,

Finally, you could add the rule into your master ruleset for all sensors
to see the rule.

Naturally, they go above any include statements.



Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list