[Snort-users] question about using SNORT to look at multiple NICs on one system
wkitty42 at ...14940...
Wed Aug 12 16:26:03 EDT 2015
On 08/12/2015 06:08 AM, Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 wrote:
> Since I didn't do the reconfiguration, I have had to look at this and it
> appears that the answer to all of your questions is NO. Just by asking these
> questions you have confirmed my suspicions about how this reconfig was done,
> and I will have to request changes to the system to fully separate the snort
> instances on the system.
you should be able to keep them all running as individual processes on the
single system... the key is to add the identifying portion to the snort
instances as well as ensuring that they are using different output directories
or at least different output files...
1.9.4 Specifying Multiple-Instance Identifiers
In Snort v2.4, the -G command line option was added that specifies an instance
identifier for the event logs. This option can be used when running multiple
instances of snort, either on different CPUs, or on the same CPU but a different
interface. Each Snort instance will use the value specified to generate unique
event IDs. Users can specify either a decimal value (-G 1) or hex value preceded
by 0x (-G 0x11). This is also supported via a long option -logid.
then the trick is to get BY2 to read the different output files and get that
data into the central database with the identifiers for each snort...
i'm sure there's more information available that i've forgotten... however, a
trip through some of these results should be beneficial
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users