Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Logsnorter .2 PIX Support?

From: Ryan Hill <rhill () xypoint com>
Date: Thu, 25 Oct 2001 20:18:12 -0700
All,

Forgive me if this has already been documented somewhere, but does
logsnorter have any support for Cisco PIX syslog output messages?

An example message might look like:

Oct 25 20:12:11 sinker %PIX-3-106010: Deny inbound tcp src
outside:xxx.xxx.xxx.xxx/4301 dst dmz:xxx.xxx.xxx.xxx/80 

My logsnorter.conf looks like:

# Logsnorter .2 Config File
# Date: 10/25/01 07:40 PM PST
# Last Modified: Never

$db_server='localhost';
$db_database='xxxxxx';
$db_usercode='xxxxxx';
$db_password='xxxxxx';

#Cisco access-list syslog messages don't report the interface
#which generated the message. You must therefore provide logsnorter
#with this information (indexed to the ACL number) so that it can
#correctly inject these into the snort database

#$cisco_interface['rtr01',107]="Serial0.1";
#$cisco_interface['rtr01',108]="Serial0.1";
#$cisco_interface['rtr11',105]="FastEthernet0";
#$cisco_interface['rtr11',106]="FastEthernet0";

The XXX's for the database have been satanized, and I've left the cisco
comments out for the time being since I couldn't find an acl list to
correspond the variables to.  On my PIX, I use named acl groups, like
'access-list acl_myaclname', instead of traditional acl access lists like
'access-list acl 100'

When running logsnorter via the command suggested on SNORT-announce: 

cat /var/log/syslog | logsnorter -t 

the program appears to run successfully and then immediately exits.  Since
it looks like my DB connection and everything else is setup correctly, my
guesstimation at this point is that logsnorter doesn't recognize the entry
format.  Is this true?

Thanks in advance,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com
<http://www.telecomsys.com> 
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: