Hi Kevin, This is what I get for reading in reverse order. :)
You are correct in what you wrote: you do have it up and running it would seem. To run more instances, you need to start multiple instances of snort and make sure that you pass them the same clusterid. The only tricky part is making sure that each snort instance has it's own PID file, config file, logging directory, etc; that's usually the hardest part of getting multiple snort instances up. :) There are a few strategies for managing the snort instance configs, but the one I've seen described that I liked the most was to create a vanilla config that expresses the things you want for every instance, and then create individual configs for each instance specifying only the things that are different and including the vanilla one. For instance: snort.master.conf: config interface: eth0 include /rules/SOme_rule_file etc and then: inst1.conf: config logdir: /nsm/snort/inst1 include snort.master.conf That makes it a little easier to maintain your conf files... GL, Jesse On Fri, Mar 1, 2013 at 2:46 PM, Kevin Hanser <[email protected]> wrote: > So I appear to have pf_ring installed (via the RPMs) and snort working > with it. If I start up a snort instance using a command line similar to > the metaflows article (except I'm doing passive instead of inline for the > time being): > > snort -c /etc/snort/snort.conf -y -i eth0 --daq-dir /usr/local/lib/daq > --daq pfring --daq-var clusterid=10 --daq-mode passive > > I get a status counter "device" created in /proc/net/pf_ring named > <pid>-eth0.1. If I watch this file with cat while sending some traffic to > the machine, I see the counters increasing, and snort is logging the > information. So based on this, it seems that snort is working with > pf_ring, which was my "first step" so that's pretty cool. > > Now I'm trying to figure out how I distribute the load across multiple > snort / pf_ring instances. I started up multiple instances of snort, but > when I watch the counters it seems that only the one I started last is > getting all the traffic. I'm probably missing something in how I start it > up, but I'm unsure what. > > What do I need to tell pf_ring / snort so that they distribute the load > across the multiple rings / snorts? Is that what the clusterid=10 means? > Is that telling each pf_ring that it's part of the same cluster? I'm > still working on understanding how all this works together so if anyone has > any thoughts / suggestions that would be great! I'll keep researching and > reading and testing on my own as well, > > thx! > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > -- Jesse Bowling
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
