[Snort-users] Re: Multiple interfaces? and SNort 2.0

Ueli Kistler iuk at ...1171...
Tue May 13 14:24:04 EDT 2003


McBurnett, Jim wrote:

> Hi,
> I was wondering if there is anyway to run Snort on a system monitoring 
> 2 subnets with 3 network cards(1 as the control  / management card)
Due the WinPCAP limitation to monitor 1 interface at once on Windows 
this will only work using 2 instances of Snort (seperate folders, 
configuration.. etc.)
Note that only ONE instance of IDScenter can be run at the same time 
(because the settings are stored in registry.. which would always 
overwrite the settings of the other instance of IDScenter when clicking 
on "Apply")....

Service mode (skip this if not needed, because you should be a bit 
experienced with registry also.. and it's not an elegant solution but 
it's not my fault also)
note also that Snort doesn't have a multiple Windows 2K/XP service 
support (means it always uses the Service name SnortSvc.. no ennumeration
or something like this.. ex. SnortSvc1.. if you want to use the service 
mode, you have to do some manual registry work in 
HKEY_LOCAL_MACHINE\SYSTEM\controlset001 .. and 002 and 
currentcontrolset, copy SnortSvc Key and rename the settings inside ..    )

-- An elegant solution is: --
- To install MySQL
- setup the output database plugin for both Snort instances (using 
IDScenter: set snort.conf of one Snort instance in "IDS rules".. modifiy 
settings, apply... open snort.conf of the second install, edit settings 
and apply
- run both instances of Snort when starting up snort (one is directly 
controlled by IDScenter, the other can be added to AutoStart (or using 
the descripted solution for two services mode running Snort instances))
- Install ACID (www.cert.org/kb/acid), Apache (1.2.27 recommended, but 
2.x is also nice)  or IIS (or any other webserver with CGI/PHP support), 
PHP (latest, www.php.org)

Notes about using IDScenter 1.1 RC2 with Snort 2.0:
- Don't use "-a" option ("Include ARP" in Log settings panel, was 
removed from Snort.. note i posted a mail concerning the little Snort's 
inline/command-line options chaos once on the mailing list Snort users)
-  Rule editor: 3-4 keywords are not supported, means: distance, within, 
byte_test and byte_jump

Notes about Snort 2.0 official support coming with IDScenter 1.1 RC3 
(also featuring MySQL alertmail (HTML tables output) with multithreaded 
DNS resolution system, Oinkmaster integration using
a update check system (http only), Snort inline configuration support, 
WhoIs lookups with internal logviewer.. and even more.. ;)

> And is there any timeline to Snort 2.0 support?
IDScenter 1.1 RC3 release: at last in July (sorry for long wait time, i 
would also like to work more on this prog.. ;) )

> Thanks,
> Jim
> Jim McBurnett
> Director of Information Technology
> Mid-South Management Company, Inc.
> P.O. Drawer 1634
> Spartanburg, SC 29304
> (864) 583 - 2907
> (864) 583 - 0589 fax
Ueli Kistler
eclipse at ...9170...
www.engagesecurity.com      < where IDScenter and lot of new free 
security progs will be released in near future (including Honeypot FTP 
server for Windows e.x.)

More information about the Snort-users mailing list