double snorting

This quick article talks about running double instances of Snort in order to capture two opposing sets of data. First one sensor catches “everything” that you can imagine in the rules, basically allowing the operator to get an idea of the state of the Internet as a whole. The second sensor only catches things of immediate interest to the operator, basically filtered so that only those threats that may affect the operator are captured. I like this article due to the explicit instructions on installing and running Snort.