[Snort-users] Multiple snorts & Barnyard2

Naresh Narang nnarang at ...15655...
Thu Jun 21 13:25:54 EDT 2012

It's on Solaris 10. Yes currently using -i directive but it starts up two instances. I'll need to check if IPMP can be done on NICs with no IPs.


-----Original Message-----
From: Kungu Panda [mailto:kungupanda at ...11827...] 
Sent: Thursday, June 21, 2012 10:22 AM
To: Naresh Narang
Cc: snort-users at lists.sourceforge.net
Subject: [Snort-users] Multiple snorts & Barnyard2

linux:   yes, look into ifenslave/bonding.
windows:   i have no idea.

Or maybe multiple "-i " nic directives can be specified on the snort commandline, never tried that.


On Thu, Jun 21, 2012 at 5:06 PM, Naresh Narang <nnarang at ...15655...> wrote:
> Ok case in point. I have to monitor traffic coming in on two NICs. Can I monitor with one instance running?
> --Naresh
> Sent from my iPhone
> On Jun 21, 2012, at 9:52 AM, "Kungu Panda" <kungupanda at ...11827...> wrote:
>> I am using a single instance of snort to write-out multiple unified 
>> files and then using multiple barnyard2 instances to send to both 
>> syslog and mysql.  Basically sending alerts to a prime and backup 
>> monitoring stations.  No issues or problems; drop two "output
>> unified2: xxx" directives in snort.conf.
>> Not sure why anyone would need multiple instances of snort to achieve 
>> the same result.  In fact, it would seem to be wildly inefficient to 
>> run multiple instances of snort to inspect the same traffic.  Of 
>> course, you may have systems and cpu's to burn.
>> KPanda.
>> -----Original Message-----
>> From: Peter Bates [mailto:peter.bates at ...15381...]
>> Sent: Thursday, June 21, 2012 15:48
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Multiple snorts & Barnyard2
>> Hash: SHA1
>> Hello all
>> I was just wondering if I was missing any tricks here
>> - - and interesting if anyone is doing things differently.
>> I'm spawning multiple Snort processes - with a different
>> - -l to write unified2 output into seperate directories.
>> As a result I'm running multiple Barnyard2 processes, each reading 
>> the directories in continuous mode - and writing to DB and Syslog.
>> Is this the optimal way of doing things, or am I missing a crafty 
>> command-line option somewhere?
>> - --
>> Peter Bates
>> Senior Computer Security Officer    Phone: +44(0)2076792049 
>> Information Services Division       Internal Ext: 32049 University 
>> College London London WC1E 6BT
>> ---------------------------------------------------------------------
>> ---------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. 
>> Discussions will include endpoint security, mobile security and the 
>> latest in malware threats. 
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list