Snort mailing list archives
Re: [Snort-Users] differentiate between eth0 and eth1 in logs
From: eamonn doyle <edoyle () faxsr com>
Date: Fri, 2 Apr 2004 10:03:55 -0500
Ah sheepish grin, Thank you Edin, I don't know how I missed that. I looked at the output of snort --help at least a dozen times and looked right past it thanks eamonn On Friday 02 April 2004 09:45, Edin Dizdarevic wrote:
Hi, eamonn doyle schrieb:Hello snort users! I am new to snort and have what I am sure is a very simple question at least for you folks. I have a single snort box with 2 ethernet cards, and 2 snort processes running. I start the process from within the directory where snort.conf resides: /usr/local/bin/snort -i eth0 -D /usr/local/bin/snort -i eth1 -D I am logging very simply to the /var/log/messages file, and would like to know if there is a way to differentiate between each interface that is snorting. From what I see in /var/log/messages it is not obvious to me that I can.snort -? ... -I Add Interface name to alert output ... nice ;), you get something like this: 04/01/04-14:41:33.279643 [**] [1:1390:4] <eth0> SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 130.133.1.100:61830 -> xxx.xxx.xxx.xxx:36095Apr 1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 172.16.45.94:1037 -> 172.16.1.2:1900 What does [1:1917:4] mean/stand forplease read the docs on this...I run some simple bash scripts to parse the files every hour and report back on priority 1 entries.Try logsurfer for near real time alerting. ...Thanks for any and all help, EamonnRegards, Edin
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Snort-Users] differentiate between eth0 and eth1 in logs eamonn doyle (Apr 01)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Jim Hendrick (Apr 02)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Matt Kettler (Apr 02)
- Re: [Snort-Users] differentiate between eth0 and eth1 in logs Edin Dizdarevic (Apr 02)
- Re: [Snort-Users] differentiate between eth0 and eth1 in logs eamonn doyle (Apr 02)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Jim Hendrick (Apr 02)