<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">You need to execute snort instances
      with different options from command line. For example, we execute
      several instances of snort with same snort.conf and different
      unified2 and perfmonitor stats files:<br>
      <br>
      <pre># snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-0 \
    --perfmon-file /var/log/snort/0/instance-0/stats/snort.stats -G 0 --daq-dir /lib/daq/ --daq pfring --daq-var bindcpu=0 \
    --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 0 --daq-var watermark=64 --daq-var timeout=1 --daq-var clusterid=10,11,12,13 \
    --cs-dir /etc/snort/0/cs/instance-0 -R _0-0 --treat-drop-as-alert
# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-1 \
    --perfmon-file /var/log/snort/0/instance-1/stats/snort.stats -G 1 --daq-dir /lib/daq/ --daq pfring --daq-var bindcpu=1 \
    --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 1 --daq-var watermark=64 --daq-var timeout=1 --daq-var clusterid=10,11,12,13 \
    --cs-dir /etc/snort/0/cs/instance-1 -R _0-1 --treat-drop-as-alert
# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-2 \
    --perfmon-file /var/log/snort/0/instance-2/stats/snort.stats -G 2 --daq-dir /lib/daq/ --daq pfring --daq-var bindcpu=2 \
    --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 2 --daq-var watermark=64 --daq-var timeout=1 --daq-var clusterid=10,11,12,13 \
    --cs-dir /etc/snort/0/cs/instance-2 -R _0-2 --treat-drop-as-alert
# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-3 \
    --perfmon-file /var/log/snort/0/instance-3/stats/snort.stats -G 3 --daq-dir /lib/daq/ --daq pfring --daq-var bindcpu=3 \
    --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 3 --daq-var watermark=64 --daq-var timeout=1 --daq-var clusterid=10,11,12,13 \
    --cs-dir /etc/snort/0/cs/instance-3 -R _0-3 --treat-drop-as-alert

</pre>
      To do this, you will need a modified init script. This "instances
      group" has id '0' (/opt/rb/etc/snort/0/snort.conf). The config
      file is the same for all instances. Change direstories and other
      files to your own context.<br>
      <br>
      Regards.<br>
      <br>
      <br>
      El 06/06/14 08:33, Budinich Galvez, Luis Alberto escribió:<br>
    </div>
    <blockquote
cite="mid:D5E7767B7B0D9E4999B72C922E9F0AA60B3095@...16602..."
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Texto de globo Car";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
span.TextodegloboCar
        {mso-style-name:"Texto de globo Car";
        mso-style-priority:99;
        mso-style-link:"Texto de globo";
        font-family:"Tahoma","sans-serif";}
p.BalloonText, li.BalloonText, div.BalloonText
        {mso-style-name:"Balloon Text";
        mso-style-link:"Balloon Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";
        mso-fareast-language:EN-US;}
span.EstiloCorreo21
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EstiloCorreo22
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EstiloCorreo23
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EstiloCorreo24
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span style="color:#1F497D">Shawn, that’s
            what I’m looking for, but don’t know how to config in my
            snort.conf file.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D">Jaime, good to
            know this but now I’m not able to use SNMP. First, I think I
            need to tune my configuration.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D">Thanks guys!!!<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:ES">De:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:ES">
                Jefferson, Shawn [<a class="moz-txt-link-freetext" href="mailto:Shawn.Jefferson@...14448...">mailto:Shawn.Jefferson@...14448...</a>]
                <br>
                <b>Enviado el:</b> jueves, 05 de junio de 2014 18:47<br>
                <b>Para:</b> Jefferson, Shawn; Budinich Galvez, Luis
                Alberto; <a class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br>
                <b>Asunto:</b> RE: [Snort-users] Performance Monitor<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span style="color:#1F497D" lang="EN-CA">And
            if performance specifically (sorry didn’t quite understand),
            send your snort.stats to different files for each snort
            process?  (that’s what I do)<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D" lang="EN-CA"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-CA"
                  lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-CA"
                lang="EN-US"> Jefferson, Shawn
                [<a class="moz-txt-link-freetext" href="mailto:Shawn.Jefferson@...14448...">mailto:Shawn.Jefferson@...14448...</a>] <br>
                <b>Sent:</b> June 05, 2014 9:38 AM<br>
                <b>To:</b> Budinich Galvez, Luis Alberto;
                <a class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br>
                <b>Subject:</b> Re: [Snort-users] Performance Monitor<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D" lang="EN-CA">Use
            different unified files for each process, set a unique name
            for each sensor in your barnyard2  conf.  That will let you
            know what sensor the alert came from.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D" lang="EN-CA"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-CA"
                  lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-CA"
                lang="EN-US"> Budinich Galvez, Luis Alberto [<a
                  moz-do-not-send="true"
                  href="mailto:BUDINIL@...16601...">mailto:BUDINIL@...16601...</a>]
                <br>
                <b>Sent:</b> June 05, 2014 8:25 AM<br>
                <b>To:</b> <a moz-do-not-send="true"
                  href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br>
                <b>Subject:</b> [Snort-users] Performance Monitor<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
        <p class="MsoNormal">Hello guys, I’m wondering if it’s posible
           (with performance monitor)  to monitor the performance of
          different snorts that reads the same configuration file.<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">I’m running 4 snorts in the same machine.
          Each one is sniffing different networks, so now I’m seeing all
          output in the same file, but can’t distinguish the values for
          my different networks. Is there a way for this?<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Thanks you!!!<o:p></o:p></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
<a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/NeoTech">http://p.sf.net/sfu/NeoTech</a></pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
    </blockquote>
    <br>
  </body>
</html>