[Snort-users] Multiple instances of snort on the same server?

Seth Art sethsec at ...11827...
Thu Feb 4 17:10:22 EST 2010


Aloha,

Here is an example of 4 snort instances listening on 3 interfaces.
You can have a 1 instance to 1 interface mapping like the first two
lines, or you can run multiple instances on the same interface like
the 3rd and 4th lines directing traffic using BPFs, or a combination
of both.

snort -i eth1 -c /etc/snort1/snort-eth1.conf <other snort options>
snort -i eth2 -c /etc/snort2/snort-eth2.conf <other snort options>
snort -i eth3 -c /etc/snort3-1/snort-eth3-1.conf <other snort options>
net 10.0.0.0/8
snort -i eth3 -c /etc/snort3-2/snort-eth3-2.conf <other snort options>
not net 10.0.0.0/8

You can theoretically share the same snort.conf and rules files,
however if you want to have each instance act differently (different
policy assigned to each instance), you are best off having a different
copy of the rules and the snort.conf for each instance.

Just remember that when you update the rules, you need to update them
in all locations.

Definitely some additional overhead with this setup, but it will allow
you to accomplish quite a lot (and improve performance since snort is
currently still single threaded).

-Seth


On Wed, Feb 3, 2010 at 11:24 PM, Chan, Wilson <wchan at ...14702...> wrote:
> Anyone has a HowTo guide on running multiple instances of snort on the same
> server? I have a new server that has 8 nics and looking to run a few snort
> instances to make use of the high speed server and dual quad cores. Thanks!
>
>
>
>
>
> Wilson
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list