Snort mailing list archives
Re: [Snort-Users] differentiate between eth0 and eth1
From: Alejandro Flores <alejandro.flores () triforsec com br>
Date: Thu, 01 Apr 2004 21:41:43 -0300
Hello there,
Hello snort users! I am new to snort and have what I am sure is a very simple question at least for you folks. I have a single snort box with 2 ethernet cards, and 2 snort processes running. I start the process from within the directory where snort.conf resides: /usr/local/bin/snort -i eth0 -D /usr/local/bin/snort -i eth1 -D I am logging very simply to the /var/log/messages file, and would like to know if there is a way to differentiate between each interface that is snorting.
Use '-I' (Add Interface name to alert output)
From what I see in messages it is not obvious to me that I can. Apr 1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 172.16.45.94:1037 -> 172.16.1.2:1900 What does [1:1917:4] mean/stand for
If I'm not wrong: 1 -> Generator ID (the guy who generates the alert, see: etc/generators) 1917 -> Signature ID (keyword that identifies the rule "sid: 1917;") 4 -> Rule revision Why don't you use ACID to monitor the alerts in 'real-time'? Sure, you'll need also to install MySQL or PostgreSQL. Regards, Alejandro Flores --TriForSec http://www.triforsec.com.br/
Current thread:
- [Snort-Users] differentiate between eth0 and eth1 eamonn doyle (Apr 01)
- Re: [Snort-Users] differentiate between eth0 and eth1 Alejandro Flores (Apr 01)