[Snort-Users] differentiate between eth0 and eth1 in logs

Jim Hendrick jrhendri at ...9784...
Fri Apr 2 05:54:07 EST 2004


There was some talk about a year ago about allowing the user to specify what
syslog facility snort would use. I don't think this made it into the code,
but adding it should not be too hard.

Other possibilities are to log to two separate files (the -l flag) and then
parsing those with something to separate the alerts.

Jim


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of eamonn
> doyle
> Sent: Thursday, April 01, 2004 6:03 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-Users] differentiate between eth0 and eth1 in logs
>
>
>
> Hello snort users!
>
> I am new to snort and have what I am sure is a very simple
> question at least
> for you folks.  I have a single snort box with 2 ethernet
> cards, and 2 snort
> processes running.  I start the process from within the
> directory where
> snort.conf resides:
>
> /usr/local/bin/snort -i eth0 -D
> /usr/local/bin/snort -i eth1 -D
>
> I am logging very simply to the /var/log/messages file, and
> would like to
>  know if there is a way to differentiate between each
> interface that is
>  snorting. From what I see in /var/log/messages it is not
> obvious to me that I
> can.
>
> Apr  1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service
> discover attempt
> [Classification: Detection of a Network Scan] [Priority: 3]: {UDP}
> 172.16.45.94:1037 -> 172.16.1.2:1900
>
> What does  [1:1917:4] mean/stand for
>
> I run some simple bash scripts to parse the files every hour
> and report back
> on priority 1 entries.
>
> My network is very simple, the 2 nics are watching 2 t-1 circuits from
> different providers, one feeds through a 2611 the other
> through a 3640 + PIX.
>
> There is a hub after the 2611 and PIX and in each hub is one
> of the snort
> interfaces.  Each path is then passed on to a switch and
> users define which
> path they take with their default route, either 172.16.1.1(eth1) or
> 172.16.1.2 (eth0)
>
> snort system is default 2.1.2 running on a P IV with 1 gig of
> memory, linux
> 2.4.20 flavor is suse 8.2
>
> Thanks for any and all help,
> Eamonn
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list