[Snort-users] Snort sensor IDs

Jeff Dell jdell at ...1095...
Thu Aug 19 12:11:25 EDT 2004

If you are using bpf filters, try adding "ignore_bpf=yes" to your output
database line in your snort.conf. I just checked the docs and it is not
there.. I guess it is currently an undocumented feature...  If your sensor
name keeps changing, you can add the option sensor_name=<blah>. but you can
not have multiple sensors writing to the same database as the same sensor
name, it will have issues.


From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Mitchell,
Sent: Wednesday, August 18, 2004 7:51 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Snort sensor IDs

I'm left a bit confused over how Snort handles assigning sensor IDs and how
I might be able to control it.  For example, I just changed how Snort runs,
and in doing so, a new sensor ID is created and dumps the data in there,
which makes querying MySql from a front end annoying.
Anyone know how to keep Snort to just a single sensor ID regardless of any
changes I might make to the startup options?  Or is there something inherent
that would make that a really bad idea?
On the same note, is it possible to dump data from multiple interfaces into
a single "sensor"?  I don't really care which sensor picked up the data as I
can look at source/destination anyway.

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential,
proprietary, and/or privileged information protected by law. If you are not
the intended recipient, you may not use, copy, or distribute this e-mail
message or its attachments. If you believe you have received this e-mail
message in error, please contact the sender by reply e-mail and destroy all
copies of the original message. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040819/b4b681ff/attachment.html>

More information about the Snort-users mailing list