[Snort-Users] differentiate between eth0 and eth1 in logs

eamonn doyle edoyle at ...11544...
Thu Apr 1 15:07:02 EST 2004


Hello snort users!

I am new to snort and have what I am sure is a very simple question at least
for you folks.  I have a single snort box with 2 ethernet cards, and 2 snort
processes running.  I start the process from within the directory where
snort.conf resides:

/usr/local/bin/snort -i eth0 -D
/usr/local/bin/snort -i eth1 -D

I am logging very simply to the /var/log/messages file, and would like to
 know if there is a way to differentiate between each interface that is
 snorting. From what I see in /var/log/messages it is not obvious to me that I 
can.

Apr  1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt
[Classification: Detection of a Network Scan] [Priority: 3]: {UDP}
172.16.45.94:1037 -> 172.16.1.2:1900

What does  [1:1917:4] mean/stand for

I run some simple bash scripts to parse the files every hour and report back
on priority 1 entries.

My network is very simple, the 2 nics are watching 2 t-1 circuits from
different providers, one feeds through a 2611 the other through a 3640 + PIX.

There is a hub after the 2611 and PIX and in each hub is one of the snort 
interfaces.  Each path is then passed on to a switch and users define which 
path they take with their default route, either 172.16.1.1(eth1) or 
172.16.1.2 (eth0)

snort system is default 2.1.2 running on a P IV with 1 gig of memory, linux 
2.4.20 flavor is suse 8.2
 
Thanks for any and all help,
Eamonn






More information about the Snort-users mailing list