[Snort-users] Multiple instances of snort on one box?

Paul Schmehl pauls at ...6838...
Thu Oct 21 14:51:46 EDT 2004


--On Thursday, October 21, 2004 02:39:09 PM -0500 Drew Stockman 
<Drew.Stockman at ...8272...> wrote:

>
> We are trying to consolidate machines and I am being asked if we can put
> all of the snort sensors on one box.  I was just wondering if anyone can
> point me in the right direction.  I believe I have to run seperate
> instances of Snort listening on different NICs, correct?

No, you can run multiple instances on one NIC.

>  Also, what kind
> of hardware would it take to replace 3 sensors, each listening to a T-1
> connection?  Is there any documentation out there on setting up a
> multiple Snort sensor like this?
>
I'm running two instances of snort, through one NIC, watching two DS3s with 
approximately 45MB outbound (70MB peaks) and 30MB inbound (50MB peaks) on a 
Dell box with a 1.7 GHz processor, 1GB of ram and a 1GB NIC.  The OS is 
FreeBSD 4.9 SECURITY.

The reason I run two processes on the same NIC is because one is a "normal" 
deployment of snort and the other is a "special" deployment which *only* 
uses custom rules.

I would assume, in the "normal" setup, you'd want separate NICs because you 
want to monitor separate segments of the network.  The only thing you have 
to do is keep your conf files separate (unless you want to monitor 
precisely the same way on all three networks) as well as your startup 
scripts.

I simlinked snort to "snort_special", created a snort_special.conf file as 
well as a snort_special startup file.  You should also specify the name of 
the PID file, which you can do using "-R {name}" on the commandline during 
startup.  (E.g. "-R T1-A", "-R T1-B", "-R T1-C".)  This will create a 
pidfile with the name snort_eth0T1-A.pid, for example.  Makes it much 
easier to keep them straight and eliminates confusion when killing a 
process.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list