[Snort-users] Multiple Snort sensors

Erek Adams erek at ...577...
Mon Mar 25 10:10:11 EST 2002


On Mon, 25 Mar 2002, FGALAN wrote:

> I would like if it is posible to have multiple Snort sensors
> running simultaneously in different hosts outputing logs to
> the same place or if it nos possible due to some concurrence
> problems.

Yes, BUT....

> I mean,
>
> snort -l log [...] in host1
> snort -l log [...] in host2
> snort -l log [...] in host3
>
> where log is a shared directory (via NFS, for example).

If you aren't using binary logging, you could be in for a bit of trouble.  If
one sensor needed to lock a file, then the others wouldn't be able to write to
it--If you're using NFS that is.

You could use NFS and binary log modes to generate 3 different files, one per
sensor and then split each of those out via a 4th snort process on the nfs
server.

Or you could use barnyard and send it all off to backend DB.

*shrug*  Lotsa ways to do it!

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list