[Snort-users] [Snorting 2 NICs]

COULOMBE, TROY TROCOU at ...6000...
Tue Jun 11 08:17:03 EDT 2002


pretty much the same thing here, tho we log to different locations as
well...

so we have snort.qfe0.conf logged to /var/log/snort.qfe0/ 
and snort.qfe1.conf logged to /var/log/snort.qfe1

etc...
and then any special rules files that get modified for a particular
interface get that name so:: porn.qfe0.rules etc....

-----Original Message-----
From: K.S.NARAYANAN [mailto:knarayan at ...5994...]
Sent: Monday, June 10, 2002 9:11 PM
To: McCammon, Keith; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] [Snorting 2 NICs]


I do in this way without any problem :-

* I have all my rules @ /etc/snort/rules .
* I have 2 snort.conf files
o /etc/snortint.conf  ( with more local rules )
o /etc/snortext.conf  ( with standard snort rules )
* A single snort binary & I call 2 instances of snort like this
o Snort -c /etc/snortint.conf -I eth0
o Snort -c /etc/snortext.conf -I eth1

The above method works well . Any comments please ...

Regards,

Narayan.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of McCammon, Keith
Sent: Monday, June 10, 2002 6:39 PM
To: mr6re9 at ...6025...; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] [Snorting 2 NICs]

You should be able to simply install another Snort instance.  Instances can
share conf and rules files, but not the binary as far as I am aware.  Just
do "cp snort snort2" and call snort2 for the second instance.

-----Original Message-----
From: Gregory D Hough [mailto:mr6re9 at ...6025...]
Sent: Monday, June 10, 2002 8:47 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] [Snorting 2 NICs]


Greetings Group,

I have Snort running into MySQL. I use ACID to view alerts. Snort works fine
when started as: snort -c /usr/local/etc/snort/snort.conf -i eth0 -D but
this
is my internal interface. When fired up for eth1 (IP address ppp0) I get
this
in /var/log/messages:

WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no Ipv4 address
assigned
Initializing daemon mode
WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no Ipv4 address
assigned
PID stat checked out ok, PID set to /var/run
Writing PID file to "/var/run"
Snort initialization completed successfully, Snort running

Obviously Snort sees no traffic whatsoever. Is there anyway to initialize
Snort with two sensors, eth0 and ppp0?

This is on a tutorial HOME_NET, with a Linux gateway machine and two other
boxes inside, one Linux and one Win. I'd like to continue monitoring the
internal due to the Win box. I have mulled over the excellent documentation
for setting the whole thing up, thanks to everyone involved. I just haven't
found an answer to this type of setup yet.

Thanks for any clues,
farmer6re9

PS- Poll Contrib:

month/year of capture: 05/21/2002 to 06/10/2002

version of snort: snort-1.8.6

description of rules enabled  - default? all? custom (please give details):
default

sensor environment - what kind/size of organisation, location of sensor etc:
home network/3 boxen eth0 before hub on gateway machine

inside some kind of firewall (Y/N): Y iptables

bandwidth sniffed (ISDN, ADSL, 10, 100, gigabit etc): ADSL

duration of sniffing (days): 20

total number of alerts raised: 185

format of alerting - text/fast, text/full (this is the default), tcpdump,
database (what type?) etc: default, MySQL-3.23.43-1

payloads captured (Y/N): Y

total disk space taken by the alerts (including payloads if captured,
database indexes etc): 92.1 KB's

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=dntextlink

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list

*********************************************************
Disclaimer

This message (including any attachments) contains 
confidential information intended for a specific 
individual and purpose, and is protected by law. 
If you are not the intended recipient, you should 
delete this message and are hereby notified that 
any disclosure, copying, or distribution of this
message, or the taking of any action based on it, 
is strictly prohibited.

*********************************************************
Visit us at http://www.mahindrabt.com

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list