[Snort-users] Multiple snort instance with different rulesets

Chris Keladis Chris.Keladis at ...2783...
Sun Oct 14 18:04:02 EDT 2001

At 04:33 PM 10/14/01 -0400, Marc-Andre Hamelin wrote:

Hi Marc-Andre,

>I really don't know why it work like this. Each process should be completely
>independent, with there own memory allocation. Even if the rule files have
>the same names, they have their own inodes, they are different files,
>furthermore, they are in different directories.

They are separate processes, for all intents and purposes.

>Hummm, that just made me think of something, maybe the include directives in
>snort.conf should include the full path of the rule files... Something I'll
>try next...

Yes, i think this is the crux of your problem more than any shared memory / 
Snort internal issue.

>I may also try what you suggested (one ruleset, and using pass rules), but I
>think the same problem may occur.

If you have 1 ruleset, then the issue would be inherently moot.

If you want to have multiple rulesets, then they need individual names, and 
you need to tell your snort.conf which ruleset (with an individual name) to 
load for that instance (and hardcode the paths so there is no confusion).

>I guess I should start to familiarize myself with the inner working of
>snort. :-)

As above, i really feel it's a configuration issue more than anything.

Try giving your rules unique filenames and hardcode the path of your 
include's in snort.conf.eth? to be certain it's loading the ruleset you 
intend. (ie: /my/snort/rules/policy.rules.eth0)

Also, to avoid confusion, i suggest backing up and cleaning out your Snort 
output so you don't see old(er) alerts which may miss-lead you into 
thinking a rule you commented out on a particular sensor is back.

Hope it's of some help.



More information about the Snort-users mailing list