[Snort-users] Multiple snorts & Barnyard2

Joel Esler jesler at ...1935...
Thu Jun 21 20:11:02 EDT 2012


You should look into the afpacket capture method in daq.

On Thu, Jun 21, 2012 at 1:25 PM, Naresh Narang <
nnarang at ...15655...> wrote:

> It's on Solaris 10. Yes currently using -i directive but it starts up two
> instances. I'll need to check if IPMP can be done on NICs with no IPs.
>
> --Naresh
>
> -----Original Message-----
> From: Kungu Panda [mailto:kungupanda at ...11827...]
> Sent: Thursday, June 21, 2012 10:22 AM
> To: Naresh Narang
> Cc: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Multiple snorts & Barnyard2
>
> linux:   yes, look into ifenslave/bonding.
> windows:   i have no idea.
>
> Or maybe multiple "-i " nic directives can be specified on the snort
> commandline, never tried that.
>
> KPanda
>
>
> On Thu, Jun 21, 2012 at 5:06 PM, Naresh Narang <
> nnarang at ...15655...> wrote:
> > Ok case in point. I have to monitor traffic coming in on two NICs. Can I
> monitor with one instance running?
> >
> >
> > --Naresh
> > Sent from my iPhone
> >
> > On Jun 21, 2012, at 9:52 AM, "Kungu Panda" <kungupanda at ...11827...> wrote:
> >
> >> I am using a single instance of snort to write-out multiple unified
> >> files and then using multiple barnyard2 instances to send to both
> >> syslog and mysql.  Basically sending alerts to a prime and backup
> >> monitoring stations.  No issues or problems; drop two "output
> >> unified2: xxx" directives in snort.conf.
> >>
> >> Not sure why anyone would need multiple instances of snort to achieve
> >> the same result.  In fact, it would seem to be wildly inefficient to
> >> run multiple instances of snort to inspect the same traffic.  Of
> >> course, you may have systems and cpu's to burn.
> >>
> >> KPanda.
> >>
> >>
> >> -----Original Message-----
> >> From: Peter Bates [mailto:peter.bates at ...15381...]
> >> Sent: Thursday, June 21, 2012 15:48
> >> To: snort-users at lists.sourceforge.net
> >> Subject: [Snort-users] Multiple snorts & Barnyard2
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >> Hello all
> >>
> >> I was just wondering if I was missing any tricks here
> >> - - and interesting if anyone is doing things differently.
> >>
> >> I'm spawning multiple Snort processes - with a different
> >> - -l to write unified2 output into seperate directories.
> >>
> >> As a result I'm running multiple Barnyard2 processes, each reading
> >> the directories in continuous mode - and writing to DB and Syslog.
> >>
> >> Is this the optimal way of doing things, or am I missing a crafty
> >> command-line option somewhere?
> >>
> >> - --
> >> Peter Bates
> >> Senior Computer Security Officer    Phone: +44(0)2076792049
> >> Information Services Division       Internal Ext: 32049 University
> >> College London London WC1E 6BT
> >>
> >> ---------------------------------------------------------------------
> >> ---------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond.
> >> Discussions will include endpoint security, mobile security and the
> >> latest in malware threats.
> >> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120621/f1f0892a/attachment.html>


More information about the Snort-users mailing list