Snort mailing list archives
Logsnorter .2 PIX Support?
From: Ryan Hill <rhill () xypoint com>
Date: Thu, 25 Oct 2001 20:18:12 -0700
All, Forgive me if this has already been documented somewhere, but does logsnorter have any support for Cisco PIX syslog output messages? An example message might look like: Oct 25 20:12:11 sinker %PIX-3-106010: Deny inbound tcp src outside:xxx.xxx.xxx.xxx/4301 dst dmz:xxx.xxx.xxx.xxx/80 My logsnorter.conf looks like: # Logsnorter .2 Config File # Date: 10/25/01 07:40 PM PST # Last Modified: Never $db_server='localhost'; $db_database='xxxxxx'; $db_usercode='xxxxxx'; $db_password='xxxxxx'; #Cisco access-list syslog messages don't report the interface #which generated the message. You must therefore provide logsnorter #with this information (indexed to the ACL number) so that it can #correctly inject these into the snort database #$cisco_interface['rtr01',107]="Serial0.1"; #$cisco_interface['rtr01',108]="Serial0.1"; #$cisco_interface['rtr11',105]="FastEthernet0"; #$cisco_interface['rtr11',106]="FastEthernet0"; The XXX's for the database have been satanized, and I've left the cisco comments out for the time being since I couldn't find an acl list to correspond the variables to. On my PIX, I use named acl groups, like 'access-list acl_myaclname', instead of traditional acl access lists like 'access-list acl 100' When running logsnorter via the command suggested on SNORT-announce: cat /var/log/syslog | logsnorter -t the program appears to run successfully and then immediately exits. Since it looks like my DB connection and everything else is setup correctly, my guesstimation at this point is that logsnorter doesn't recognize the entry format. Is this true? Thanks in advance, Ryan Hill, MCSE IT Ninja Corporate Information Systems Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com <http://www.telecomsys.com> v: 206.792.2276 - f: 206.792.2001 pgp: 0x17CE70AB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logsnorter .2 PIX Support? Ryan Hill (Oct 25)