Snort mailing list archives
RE: [Snort-Users] differentiate between eth0 and eth1 in logs
From: "Jim Hendrick" <jrhendri () maine rr com>
Date: Fri, 2 Apr 2004 08:52:24 -0500
There was some talk about a year ago about allowing the user to specify what syslog facility snort would use. I don't think this made it into the code, but adding it should not be too hard. Other possibilities are to log to two separate files (the -l flag) and then parsing those with something to separate the alerts. Jim
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of eamonn doyle Sent: Thursday, April 01, 2004 6:03 PM To: snort-users () lists sourceforge net Subject: [Snort-Users] differentiate between eth0 and eth1 in logs Hello snort users! I am new to snort and have what I am sure is a very simple question at least for you folks. I have a single snort box with 2 ethernet cards, and 2 snort processes running. I start the process from within the directory where snort.conf resides: /usr/local/bin/snort -i eth0 -D /usr/local/bin/snort -i eth1 -D I am logging very simply to the /var/log/messages file, and would like to know if there is a way to differentiate between each interface that is snorting. From what I see in /var/log/messages it is not obvious to me that I can. Apr 1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 172.16.45.94:1037 -> 172.16.1.2:1900 What does [1:1917:4] mean/stand for I run some simple bash scripts to parse the files every hour and report back on priority 1 entries. My network is very simple, the 2 nics are watching 2 t-1 circuits from different providers, one feeds through a 2611 the other through a 3640 + PIX. There is a hub after the 2611 and PIX and in each hub is one of the snort interfaces. Each path is then passed on to a switch and users define which path they take with their default route, either 172.16.1.1(eth1) or 172.16.1.2 (eth0) snort system is default 2.1.2 running on a P IV with 1 gig of memory, linux 2.4.20 flavor is suse 8.2 Thanks for any and all help, Eamonn ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Snort-Users] differentiate between eth0 and eth1 in logs eamonn doyle (Apr 01)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Jim Hendrick (Apr 02)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Matt Kettler (Apr 02)
- Re: [Snort-Users] differentiate between eth0 and eth1 in logs Edin Dizdarevic (Apr 02)
- Re: [Snort-Users] differentiate between eth0 and eth1 in logs eamonn doyle (Apr 02)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Jim Hendrick (Apr 02)