[Snort-users] FW: starting multiple instances of snort

Tony Reusser treusser at ...15879...
Fri Dec 4 11:10:29 EST 2015


James,

 

I am only running two simultaneous instances of snort.  One snort server with two sniffing interfaces on two separate network segments.

 

The way I am doing it, I have a separate snort.conf file for each “sensor” and each has its own output file for barnyard (two instances of barnyard with two config files running also) and each has its own log file.

 

Not as complex as your deployment, but here’s how my startup looks:

 

/usr/local/bin/snort -dD -c /etc/snort/snort_eth1.conf -i eth1

/usr/local/bin/snort -dD -c /etc/snort/snort_eth2.conf -i eth2

#

#

/usr/local/bin/barnyard2 -D -f snort_eth1.u2 -d /var/log/snort/eth1_logs -c /etc/snort/barnyard2_eth1.conf

/usr/local/bin/barnyard2 -D -f snort_eth2.u2 -d /var/log/snort/eth2_logs -c /etc/snort/barnyard2_eth2.conf

 

Hope this helps.

 

                -tkr

 

From: James [mailto:snort at ...16635...] 
Sent: Friday, December 04, 2015 8:54 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] starting multiple instances of snort

 

Hi,

 

I'm attempting to start 16 instances of snort using a for loop, but see this error repeating in /var/log/messages and hope someone can help as I'm drawing a blank at the moment.

 

snort[8537]: FATAL ERROR: Stat check on log dir failed: No such file or directory.

 

This is the loop:

 

for i in `seq 0 1 15`; do

snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-$i --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@$i,zc:eth5@$i --daq-var clusterid=$i --daq-var bindcpu=$i

done

 

The referenced log dirs exist and are owned by the snort user, as shown:

 

[]$ sudo -u snort ls -al /logs/snort/eth4_eth5/

total 72

drwx------ 18 snort snort 4096 Dec  4 10:44 .

drwx------  3 snort snort 4096 Dec  4 10:43 ..

drwx------  2 snort snort 4096 Dec  4 10:50 instance-0

drwx------  2 snort snort 4096 Dec  4 10:50 instance-1

drwx------  2 snort snort 4096 Dec  4 10:44 instance-10

drwx------  2 snort snort 4096 Dec  4 10:44 instance-11

drwx------  2 snort snort 4096 Dec  4 10:53 instance-12

drwx------  2 snort snort 4096 Dec  4 10:54 instance-13

drwx------  2 snort snort 4096 Dec  4 10:54 instance-14

drwx------  2 snort snort 4096 Dec  4 10:54 instance-15

drwx------  2 snort snort 4096 Dec  4 10:51 instance-2

drwx------  2 snort snort 4096 Dec  4 10:51 instance-3

drwx------  2 snort snort 4096 Dec  4 10:51 instance-4

drwx------  2 snort snort 4096 Dec  4 10:52 instance-5

drwx------  2 snort snort 4096 Dec  4 10:52 instance-6

drwx------  2 snort snort 4096 Dec  4 10:52 instance-7

drwx------  2 snort snort 4096 Dec  4 10:44 instance-8

drwx------  2 snort snort 4096 Dec  4 10:44 instance-9

 

Any help is much appreciated.

 

J.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151204/e58ee371/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00058.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151204/e58ee371/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00061.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151204/e58ee371/attachment-0001.txt>


More information about the Snort-users mailing list