[Snort-users] Logsnorter .2 PIX Support?

Ryan Hill rhill at ...2446...
Thu Oct 25 20:20:06 EDT 2001


All,

Forgive me if this has already been documented somewhere, but does
logsnorter have any support for Cisco PIX syslog output messages?

An example message might look like:

Oct 25 20:12:11 sinker %PIX-3-106010: Deny inbound tcp src
outside:xxx.xxx.xxx.xxx/4301 dst dmz:xxx.xxx.xxx.xxx/80 

My logsnorter.conf looks like:

# Logsnorter .2 Config File
# Date: 10/25/01 07:40 PM PST
# Last Modified: Never

$db_server='localhost';
$db_database='xxxxxx';
$db_usercode='xxxxxx';
$db_password='xxxxxx';

#Cisco access-list syslog messages don't report the interface
#which generated the message. You must therefore provide logsnorter
#with this information (indexed to the ACL number) so that it can
#correctly inject these into the snort database

#$cisco_interface['rtr01',107]="Serial0.1";
#$cisco_interface['rtr01',108]="Serial0.1";
#$cisco_interface['rtr11',105]="FastEthernet0";
#$cisco_interface['rtr11',106]="FastEthernet0";

The XXX's for the database have been satanized, and I've left the cisco
comments out for the time being since I couldn't find an acl list to
correspond the variables to.  On my PIX, I use named acl groups, like
'access-list acl_myaclname', instead of traditional acl access lists like
'access-list acl 100'

When running logsnorter via the command suggested on SNORT-announce: 

cat /var/log/syslog | logsnorter -t 

the program appears to run successfully and then immediately exits.  Since
it looks like my DB connection and everything else is setup correctly, my
guesstimation at this point is that logsnorter doesn't recognize the entry
format.  Is this true?

Thanks in advance,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com
<http://www.telecomsys.com> 
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB





More information about the Snort-users mailing list