In snortcenter 2, it says "Once Sensor Agent can handle multiple snort daemons if the system has multiple network interfaces". In the case you even need to run multiple daemons in one engine on one interface, you seem to be out of luck.
Snortcenter agent will use the parameters passed by curl from snortcenter to construct two files, one for the config and another for the command line options. These two files need to be different for different daemons. After review the source code, I found there is one parameter passed to snortcenter agent called r_option which is taken from the sensor command line option tag after -R. The -R tag is used in snort to create distinct PID file and this tag after -R is used by snortcenter agent to construct those two file names too.
So the way to run multiple snort daemons in one engine on one interface is:
- Use different sensor names for different daemons.
- Use "-R tag" at the end of command line option when define the sensor in snortcenter.
One of the usage for this is to run multiple daemons for multiple policy sets. For example, one daemon to check policy violation while the other one to check the intrusion signatures for valid traffic.
Post new comment