[Snort-users] Multiple snorts & Barnyard2
nnarang at ...15655...
Thu Jun 21 13:25:54 EDT 2012
It's on Solaris 10. Yes currently using -i directive but it starts up two instances. I'll need to check if IPMP can be done on NICs with no IPs.
From: Kungu Panda [mailto:kungupanda at ...11827...]
Sent: Thursday, June 21, 2012 10:22 AM
To: Naresh Narang
Cc: snort-users at lists.sourceforge.net
Subject: [Snort-users] Multiple snorts & Barnyard2
linux: yes, look into ifenslave/bonding.
windows: i have no idea.
Or maybe multiple "-i " nic directives can be specified on the snort commandline, never tried that.
On Thu, Jun 21, 2012 at 5:06 PM, Naresh Narang <nnarang at ...15655...> wrote:
> Ok case in point. I have to monitor traffic coming in on two NICs. Can I monitor with one instance running?
> Sent from my iPhone
> On Jun 21, 2012, at 9:52 AM, "Kungu Panda" <kungupanda at ...11827...> wrote:
>> I am using a single instance of snort to write-out multiple unified
>> files and then using multiple barnyard2 instances to send to both
>> syslog and mysql. Basically sending alerts to a prime and backup
>> monitoring stations. No issues or problems; drop two "output
>> unified2: xxx" directives in snort.conf.
>> Not sure why anyone would need multiple instances of snort to achieve
>> the same result. In fact, it would seem to be wildly inefficient to
>> run multiple instances of snort to inspect the same traffic. Of
>> course, you may have systems and cpu's to burn.
>> -----Original Message-----
>> From: Peter Bates [mailto:peter.bates at ...15381...]
>> Sent: Thursday, June 21, 2012 15:48
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Multiple snorts & Barnyard2
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Hello all
>> I was just wondering if I was missing any tricks here
>> - - and interesting if anyone is doing things differently.
>> I'm spawning multiple Snort processes - with a different
>> - -l to write unified2 output into seperate directories.
>> As a result I'm running multiple Barnyard2 processes, each reading
>> the directories in continuous mode - and writing to DB and Syslog.
>> Is this the optimal way of doing things, or am I missing a crafty
>> command-line option somewhere?
>> - --
>> Peter Bates
>> Senior Computer Security Officer Phone: +44(0)2076792049
>> Information Services Division Internal Ext: 32049 University
>> College London London WC1E 6BT
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
>> Discussions will include endpoint security, mobile security and the
>> latest in malware threats.
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users