RE: [Snort-users] Multiple Snort Instances

From: Demetri Mouratis <dmourati(at)cm.math.uiuc.edu>
Date: Fri Feb 28 2003 - 13:30:00 EST

>

> Maybe I'm being brain-dead today (please be nice) but why would someone want
> to run multiple instances of snort?

I run one production instance in daemon mode and have it logging to a remote DB. In this case, I was on the sensor and needed to look at all the traffic on-the-fly. I noticed that when I started my second instance at the command line, my daemonized instance was not logging anything to the database and my on-the-fly session was only capturing traffic destined for the local machine.

The workaround I implemented was to ifconfig the interface in promisc mode then use the -p option to snort to tell it to leave the interface alone. This way, multiple snort instances can see all the traffic.

HTH.

---

Demetri Mouratis
dmourati@linfactory.com

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Feb 28 13:35:04 2003