Snort mailing list archives
RE: Remote syslogging with multiple interfaces
From: John Hally <JHally () epnet com>
Date: Tue, 9 Aug 2005 09:15:04 -0400
The traffic will only go out the 'sniff' interface if you have an ip address assigned to it (don't need to) and it's the first address in the routing table (netstat -rn) or that interface is addressed with the same network as the syslog server (ie 192.168.40.x) My advice is to just start the sniff interface without an ip address: /sbin/ifconfig eth1 up promisc If syslog is still not picking up the entries, this is not the problem. Is syslog configured to accept other hosts? I don't think it is by default (redhat anyway) JH. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Kevin Ponds Sent: Monday, August 08, 2005 2:51 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Remote syslogging with multiple interfaces Hi all, I have two interfaces on my sensors - a dedicated sniffing interface and a dedicated management interface. The sniffing interfaces cannot talk on the network. I'd like to send syslog events to a remote management machine. However, snort is running on the sniff interface (eth1), and I believe it's trying to send the syslog stuff out that interface. This doesn't work. Is there any way to get snort to sniff on one interface and send syslog events on another? I'm using: output alert_syslog: host=192.168.40.104:514, LOG_AUTH LOG_ALERT in snort.conf rather than using -s on the command line ( -s wouldn't allow me to run snort since the interface didn't have an IP). I would imagine that this would just work without having to mess around with interfaces, but I am not seeing any events on my management box or out of tcpdump -i eth1 on the snort sensor. Thanks, Kevin ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Remote syslogging with multiple interfaces Kevin Ponds (Aug 08)
- RE: Remote syslogging with multiple interfaces Charles Heselton (Aug 09)
- Re: Remote syslogging with multiple interfaces Matt Kettler (Aug 09)
- Re: Remote syslogging with multiple interfaces Kevin Ponds (Aug 09)
- <Possible follow-ups>
- RE: Remote syslogging with multiple interfaces John Hally (Aug 09)
- RE: Remote syslogging with multiple interfaces Joshua Berry (Aug 09)