[Snort-Users] differentiate between eth0 and eth1 in logs

Edin Dizdarevic edin.dizdarevic at ...7509...
Fri Apr 2 06:46:12 EST 2004


Hi,

eamonn doyle schrieb:

> Hello snort users!
> 
> I am new to snort and have what I am sure is a very simple question at least
> for you folks.  I have a single snort box with 2 ethernet cards, and 2 snort
> processes running.  I start the process from within the directory where
> snort.conf resides:
> 
> /usr/local/bin/snort -i eth0 -D
> /usr/local/bin/snort -i eth1 -D
> 
> I am logging very simply to the /var/log/messages file, and would like to
>  know if there is a way to differentiate between each interface that is
>  snorting. From what I see in /var/log/messages it is not obvious to me that I 
> can.

snort -?
...
-I         Add Interface name to alert output
...

nice ;), you get something like this:

04/01/04-14:41:33.279643  [**] [1:1390:4]  <eth0> SHELLCODE x86 inc ebx 
NOOP [**] [Classification: Executable code was detected] [Priority: 1] 
{TCP} 130.133.1.100:61830 -> xxx.xxx.xxx.xxx:36095

> 
> Apr  1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt
> [Classification: Detection of a Network Scan] [Priority: 3]: {UDP}
> 172.16.45.94:1037 -> 172.16.1.2:1900
> 
> What does  [1:1917:4] mean/stand for

please read the docs on this...

> 
> I run some simple bash scripts to parse the files every hour and report back
> on priority 1 entries.

Try logsurfer for near real time alerting.
...
> Thanks for any and all help,
> Eamonn
> 
> 

Regards,
Edin

-- 
Edin Dizdarevic




More information about the Snort-users mailing list