[Snort-users] question about using SNORT to look at multiple NICs on one system

waldo kitty wkitty42 at ...14940...
Wed Aug 12 16:26:03 EDT 2015

On 08/12/2015 06:08 AM, Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 wrote:
> Since I didn't do the reconfiguration, I have had to look at this and it
> appears that the answer to all of your questions is NO.  Just by asking these
> questions you have confirmed my suspicions about how this reconfig was done,
> and I will have to request changes to the system to fully separate the snort
> instances on the system.

you should be able to keep them all running as individual processes on the 
single system... the key is to add the identifying portion to the snort 
instances as well as ensuring that they are using different output directories 
or at least different output files...


1.9.4 Specifying Multiple-Instance Identifiers

In Snort v2.4, the -G command line option was added that specifies an instance 
identifier for the event logs. This option can be used when running multiple 
instances of snort, either on different CPUs, or on the same CPU but a different 
interface. Each Snort instance will use the value specified to generate unique 
event IDs. Users can specify either a decimal value (-G 1) or hex value preceded 
by 0x (-G 0x11). This is also supported via a long option -logid.

then the trick is to get BY2 to read the different output files and get that 
data into the central database with the identifiers for each snort...

i'm sure there's more information available that i've forgotten... however, a 
trip through some of these results should be beneficial


  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list