[Snort-users] Configuration questions-snort multiple instances

Stanford Prescott stan.prescott at ...11827...
Tue May 2 10:27:23 EDT 2017

I am working on running multiple instances of snort on our firewall. I have
it mostly working with a separate instance of snort for each interface, WAN
and up to 3 LAN interfaces. Each snort instance has its own snort.conf,
pulledpork.conf, rules sets and log directories. Snort starts for each
interface without errors and each instance seems to generate alerts for
each interface it runs on. For now, snort runs in IDS mode.


1. Each snort.conf has the HOME_NET and DNS_SERVERS for the interface it is
running on defined. For the WAN, the public IP is defined for the HOME_NET
and configured external DNS_SERVERS usually provided by the ISP are
defined. The question is, the LAN interfaces only have private IP addresses
as their HOME_NET. Each interface uses the IP assigned to it also used as
the initial DNS. There might be rare instances where a VPN to an internal
LAN might have a source public IP, but they really shouldn't. Is it
necessary to define the DNS_SERVERS for the LAN interfaces?

2. Each snort instance has its own rule sets. One of these is the Talos
reputation IP blacklists. Should the internal LAN instances of snort also
have access to the public IP addresses provided by the Talos IP blacklists
since the internal LANs really only use private IP addresses?

I think that's it for now. Thanks for any help.


More information about the Snort-users mailing list