Snort mailing list archives
Re: About syslog messages in snort
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Fri, 21 Nov 2014 18:12:52 +0000
Ok, but what about snort startup messages? How to avoid them to go to syslog and go to another log file?? On Fri, Nov 21, 2014 at 3:20 PM, Robert Millott <robm () millottandassociates com> wrote:
Yes, but you can set a unique id to events from each individual snort instance. I don't have the code in front of me, but you can start one instance of snort like: snort -c snort.conf -G01 and the second as snort -c snort2.conf -G02 Then the alerts from each instance will have that 01 or 02 in the alerts. How you separate them, and what you do once you have them identified, I'm not sure, but at least this lets you identify which alert came from which instance On Fri, Nov 21, 2014 at 8:47 AM, C. L. Martinez <carlopmart () gmail com> wrote:Thanks Robert, but according to snort's docs -G flag it is for eventid generated by one sensor ... Right?? On Fri, Nov 21, 2014 at 1:22 PM, Robert Millott <robm () millottandassociates com> wrote:Check out the -G option for starting snort. Also google it. I had some problems with it a few months back, but finally got it figured out. I think I posted the results, but if you need some more help, I can share what I've done. On Fri, Nov 21, 2014 at 2:34 AM, C. L. Martinez <carlopmart () gmail com> wrote:Hi all I have installed two snort instances in one host (both are snort 2.9.7.0). One snort instance has so_rules only and the other instance the rest of the rules. Ok. I need to differentiate syslog messages between these snort processes using, for example, a specific entry like "snort_so-sensor1" or "snort-sensor2" and, if it is possible, redirect all snort's syslog entries to a different log file. Exists some option when snort starts or inside conf file to do this?? I don't see anything about this in snort docs. Thanks. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Robert Millott President, Millott and Associates (443) 255-3588------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Robert Millott President, Millott and Associates (443) 255-3588
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- About syslog messages in snort C. L. Martinez (Nov 20)
- Re: About syslog messages in snort Robert Millott (Nov 21)
- Re: About syslog messages in snort C. L. Martinez (Nov 21)
- Re: About syslog messages in snort Robert Millott (Nov 21)
- Re: About syslog messages in snort C. L. Martinez (Nov 21)
- Re: About syslog messages in snort C. L. Martinez (Nov 21)
- Re: About syslog messages in snort Robert Millott (Nov 21)