[Snort-users] Running two instances of Snort

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Wed Sep 25 09:53:02 EDT 2002


I'm currently running Snort 1.8.7 on RHLinux 7.0. I currently have a very
large custom rules file I created that does a lot of content checking, and
I'm afraid that since my custom rules file alerts on a large majority of
packets, then the other Snort attack rules will not be alerted on (Snort
will only alert on one rule per packet as I understand it).

As a test I've tried running two instances of Snort on the same box and both
appear to work perfectly, catching everything. Rather than creating a
separate box, I was thinking of running two instances of Snort on the same
box: one just looking for alerts in my custom alerts file (since it is so
massive and does a lot of content checking), and one instance of Snort
alerting on all of the other standard Snort rules. This way, if a packet
were to arrive that matched one of my custom content rules, and at the same
time matched a standard Snort attack rule, I would receive a separate alert
in each Snort instance' log file.

I was wondering if anyone else is doing this type of thing, and any pros and
cons you think would apply?


More information about the Snort-users mailing list