[Snort-users] Single Snort instance with multiple configurations (output)

Jukka Juslin jtjuslin at ...7943...
Tue Sep 30 08:48:05 EDT 2003

Dear all,

Slightly related to the message below from Frank Knobbe, I would like to
know is is possible to start one instance of Snort with multiple
configurations (and therefore probably multiple output places)?

I/we are interested in having separate output for inbound and outbound
alerts (to be able to first consider the inbound alerts and automatically
update the outbound).

We wouldn't like to have 2 or more Snort instances running, becaus ein
that case they will naturally fight for common resources (reading from the
network interface etc).

So, can somebody possibly help and tell if multiple configurations are


 From: Frank Knobbe (FKnobbeKnobbeITS.com)
 Date: Mon Jun 18 2001 - 22:24:21 CDT

 Hash: SHA1

 Uhm, how about running two instances of snort with different
 configurations? One instance can monitor only the web traffic and
 alert on exploits, the other can ignore web traffic and you can use
 your catch-all rule in there.

 It would be nice to have a rules checking priority system... wasn't
 there talk about that for 1.8? If not, here's the suggestion :)
 Until then, running multiple instances will solve the problem.


 > -----Original Message-----
 > From: barre [mailto:barrechello.be]
 > Sent: Tuesday, June 18, 2002 2:18 AM
 > To: snort-userslists.sourceforge.net
 > In the following example , I want to protect my dmz and will make a
 > "alert"
 > rule for all traffic from and to my dmz.
 > alert any any any -> any any (msg: \"tcp dmz traffic";)
 > But in this case, alerts will be generated when people access my
 > webserver. So I make this nice pass rule to grant access to
 > my webserver.
 > pass tcp !MY_NET any -> webserver 80
 > Because this pass rule is applied below the alert rule, I
 > have to use the
 > -o option, to make sure that this previous rule makes an
 > exception to the
 > other rules.
 > But in this scenario, I don't check the content of the pass rule
 > for malicious traffic using the other alert rules. But if I
 > delete the pass
 > rule, it triggers the "catch all other traffic" rule.
 > Therefor: is there an other way to implement a "catch all traffic"
 > rule? Using this rule, you can write rules for all
 > allowed traffic , and alert for all non-defined traffic. All other
 > signatures (http malicious traffic for example) will still be
 > applied to
 > all traffic, even if they are in the pass or catch all rules.

 Version: PGP Personal Privacy 6.5.8
 Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-users mailing list