[Snort-Users] differentiate between eth0 and eth1 in logs

eamonn doyle edoyle at ...11544...
Fri Apr 2 07:08:04 EST 2004


Ah sheepish grin,
Thank you Edin, I don't know how I missed that.  I looked at the output of 
snort --help at least a dozen times and looked right past it
thanks
eamonn

On Friday 02 April 2004 09:45, Edin Dizdarevic wrote:
> Hi,
>
> eamonn doyle schrieb:
> > Hello snort users!
> >
> > I am new to snort and have what I am sure is a very simple question at
> > least for you folks.  I have a single snort box with 2 ethernet cards,
> > and 2 snort processes running.  I start the process from within the
> > directory where snort.conf resides:
> >
> > /usr/local/bin/snort -i eth0 -D
> > /usr/local/bin/snort -i eth1 -D
> >
> > I am logging very simply to the /var/log/messages file, and would like to
> >  know if there is a way to differentiate between each interface that is
> >  snorting. From what I see in /var/log/messages it is not obvious to me
> > that I can.
>
> snort -?
> ...
> -I         Add Interface name to alert output
> ...
>
> nice ;), you get something like this:
>
> 04/01/04-14:41:33.279643  [**] [1:1390:4]  <eth0> SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 130.133.1.100:61830 -> xxx.xxx.xxx.xxx:36095
>
> > Apr  1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover
> > attempt [Classification: Detection of a Network Scan] [Priority: 3]:
> > {UDP} 172.16.45.94:1037 -> 172.16.1.2:1900
> >
> > What does  [1:1917:4] mean/stand for
>
> please read the docs on this...
>
> > I run some simple bash scripts to parse the files every hour and report
> > back on priority 1 entries.
>
> Try logsurfer for near real time alerting.
> ...
>
> > Thanks for any and all help,
> > Eamonn
>
> Regards,
> Edin





More information about the Snort-users mailing list