[Snort-users] FW: starting multiple instances of snort

James snort at ...16635...
Mon Dec 7 03:28:56 EST 2015


Hi Tony,

Thank you for replying and showing me your config. I'm monitoring a 20Gb
(10Gb each direction) link, so my plan is to load-balance (with pf_ring)
that considerable traffic volume across the 16 snort instances with one
config file. I haven't got to barnyard installed yet, that'll be next if I
get this bit working!

J.

On 4 December 2015 at 16:10, Tony Reusser <treusser at ...15879...> wrote:

> James,
>
>
>
> I am only running two simultaneous instances of snort.  One snort server
> with two sniffing interfaces on two separate network segments.
>
>
>
> The way I am doing it, I have a separate snort.conf file for each “sensor”
> and each has its own output file for barnyard (two instances of barnyard
> with two config files running also) and each has its own log file.
>
>
>
> Not as complex as your deployment, but here’s how my startup looks:
>
>
>
> /usr/local/bin/snort -dD -c /etc/snort/snort_eth1.conf -i eth1
>
> /usr/local/bin/snort -dD -c /etc/snort/snort_eth2.conf -i eth2
>
> #
>
> #
>
> /usr/local/bin/barnyard2 -D -f snort_eth1.u2 -d /var/log/snort/eth1_logs
> -c /etc/snort/barnyard2_eth1.conf
>
> /usr/local/bin/barnyard2 -D -f snort_eth2.u2 -d /var/log/snort/eth2_logs
> -c /etc/snort/barnyard2_eth2.conf
>
>
>
> Hope this helps.
>
>
>
>                 -tkr
>
>
>
> *From:* James [mailto:snort at ...16635...]
> *Sent:* Friday, December 04, 2015 8:54 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] starting multiple instances of snort
>
>
>
> Hi,
>
>
>
> I'm attempting to start 16 instances of snort using a for loop, but see
> this error repeating in /var/log/messages and hope someone can help as I'm
> drawing a blank at the moment.
>
>
>
> snort[8537]: FATAL ERROR: Stat check on log dir failed: No such file or
> directory.
>
>
>
> This is the loop:
>
>
>
> for i in `seq 0 1 15`; do
>
> snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
> /etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-$i
> --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@
> $i,zc:eth5@$i --daq-var clusterid=$i --daq-var bindcpu=$i
>
> done
>
>
>
> The referenced log dirs exist and are owned by the snort user, as shown:
>
>
>
> []$ sudo -u snort ls -al /logs/snort/eth4_eth5/
>
> total 72
>
> drwx------ 18 snort snort 4096 Dec  4 10:44 .
>
> drwx------  3 snort snort 4096 Dec  4 10:43 ..
>
> drwx------  2 snort snort 4096 Dec  4 10:50 instance-0
>
> drwx------  2 snort snort 4096 Dec  4 10:50 instance-1
>
> drwx------  2 snort snort 4096 Dec  4 10:44 instance-10
>
> drwx------  2 snort snort 4096 Dec  4 10:44 instance-11
>
> drwx------  2 snort snort 4096 Dec  4 10:53 instance-12
>
> drwx------  2 snort snort 4096 Dec  4 10:54 instance-13
>
> drwx------  2 snort snort 4096 Dec  4 10:54 instance-14
>
> drwx------  2 snort snort 4096 Dec  4 10:54 instance-15
>
> drwx------  2 snort snort 4096 Dec  4 10:51 instance-2
>
> drwx------  2 snort snort 4096 Dec  4 10:51 instance-3
>
> drwx------  2 snort snort 4096 Dec  4 10:51 instance-4
>
> drwx------  2 snort snort 4096 Dec  4 10:52 instance-5
>
> drwx------  2 snort snort 4096 Dec  4 10:52 instance-6
>
> drwx------  2 snort snort 4096 Dec  4 10:52 instance-7
>
> drwx------  2 snort snort 4096 Dec  4 10:44 instance-8
>
> drwx------  2 snort snort 4096 Dec  4 10:44 instance-9
>
>
>
> Any help is much appreciated.
>
>
>
> J.
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151207/8d663063/attachment.html>


More information about the Snort-users mailing list