[Snort-users] About syslog messages in snort

C. L. Martinez carlopmart at ...11827...
Fri Nov 21 13:12:52 EST 2014


Ok, but what about snort startup messages? How to avoid them to go to
syslog and go to another log file??

On Fri, Nov 21, 2014 at 3:20 PM, Robert Millott
<robm at ...16885...> wrote:
> Yes, but you can set a unique id to events from each individual snort
> instance.  I don't have the code in front of me, but you can start one
> instance of snort like:
>
> snort -c snort.conf -G01
> and the second as
> snort -c snort2.conf -G02
>
> Then the alerts from each instance will have that 01 or 02 in the alerts.
>
> How you separate them, and what you do once you have them identified, I'm
> not sure, but at least this lets you identify which alert came from which
> instance
>
>
> On Fri, Nov 21, 2014 at 8:47 AM, C. L. Martinez <carlopmart at ...11827...>
> wrote:
>>
>> Thanks Robert, but according to snort's docs -G flag it is for eventid
>> generated by one sensor ... Right??
>>
>> On Fri, Nov 21, 2014 at 1:22 PM, Robert Millott
>> <robm at ...16885...> wrote:
>> > Check out the -G option for starting snort.
>> >
>> > Also google it. I had some problems with it a few months back, but
>> > finally
>> > got it figured out. I think I posted the results, but if you need some
>> > more
>> > help, I can share what I've done.
>> >
>> > On Fri, Nov 21, 2014 at 2:34 AM, C. L. Martinez <carlopmart at ...11827...>
>> > wrote:
>> >>
>> >> Hi all
>> >>
>> >>  I have installed two snort instances in one host (both are snort
>> >> 2.9.7.0). One snort instance has so_rules only and the other instance
>> >> the rest of the rules.
>> >>
>> >>  Ok. I need to differentiate syslog messages between these snort
>> >> processes using, for example, a specific entry like "snort_so-sensor1"
>> >> or "snort-sensor2" and, if it is possible, redirect all snort's syslog
>> >> entries to a different log file.
>> >>
>> >>  Exists some option when snort starts or inside conf file to do this??
>> >>
>> >>  I don't see anything about this in snort docs.
>> >>
>> >>  Thanks.
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> >> from Actuate! Instantly Supercharge Your Business Reports and
>> >> Dashboards
>> >> with Interactivity, Sharing, Native Excel Exports, App Integration &
>> >> more
>> >> Get technology previously reserved for billion-dollar corporations,
>> >> FREE
>> >>
>> >>
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> >> Snort
>> >> news!
>> >
>> >
>> >
>> >
>> > --
>> > Robert Millott
>> > President, Millott and Associates
>> > (443) 255-3588
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
>
>
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588




More information about the Snort-users mailing list