[Snort-users] Multiple Win32 occurances?

Paul Schmehl pauls at ...6838...
Tue Nov 25 19:14:04 EST 2003


--On Tuesday, November 25, 2003 20:08:18 -0600 Rich Adamson 
<radamson at ...2127...> wrote:

>
>> > Anyone tried to monitor two or more nic's from a single Win32 snort,
>> > or, run two Win32 snort images (one on each nic)? Problems / issues?
>> >
>> How about two snort instances on one nic?  I'm doing that with no
>> problems.
>
> Cool... off to play...

Well, if you're going to do that, here's a couple of learned lessons:

1) I created a symlink to the "real" snort binary and named it 
"snort_special".
2) I created "snort_special" conf files, ACID directory, start scripts, 
etc., etc.
3) I use the -R switch on the special instance so the two instances use 
separate PIDs.  Otherwise you'll have problems with disk usage "growing" 
uncontrollably, and the only way to correct it is to stop both instances 
and allow disk usage (according to df) to shrink back to normal size.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list