[Snort-users] (no subject)
nnarang at ...15655...
Thu Jun 21 13:06:31 EDT 2012
Ok case in point. I have to monitor traffic coming in on two NICs. Can I monitor with one instance running?
Sent from my iPhone
On Jun 21, 2012, at 9:52 AM, "Kungu Panda" <kungupanda at ...11827...> wrote:
> I am using a single instance of snort to write-out multiple unified
> files and then using multiple barnyard2 instances to send to both
> syslog and mysql. Basically sending alerts to a prime and backup
> monitoring stations. No issues or problems; drop two "output
> unified2: xxx" directives in snort.conf.
> Not sure why anyone would need multiple instances of snort to achieve
> the same result. In fact, it would seem to be wildly inefficient to
> run multiple instances of snort to inspect the same traffic. Of
> course, you may have systems and cpu's to burn.
> -----Original Message-----
> From: Peter Bates [mailto:peter.bates at ...15381...]
> Sent: Thursday, June 21, 2012 15:48
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Multiple snorts & Barnyard2
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hello all
> I was just wondering if I was missing any tricks here
> - - and interesting if anyone is doing things differently.
> I'm spawning multiple Snort processes - with a different
> - -l to write unified2 output into seperate directories.
> As a result I'm running multiple Barnyard2 processes, each reading the
> directories in continuous mode - and writing to DB and Syslog.
> Is this the optimal way of doing things, or am I missing a crafty
> command-line option somewhere?
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users