Re: Identifying monitoring interface w/snort and acidlab

[Erek Adams <erek () snort org>]

On Tue, 26 Aug 2003 cowboym () shmoo com wrote:

> I'm using acidlab/mysql as a front-end for several snort sensors, some of
> which have dual interfaces.  On these particular machines, interface eth0
> is used by the sensor for sending alerts to the mysql database, and eth1
> is attached to a span port on a switch, and does not have an IP address
> assigned to it.
>
> When alerts from these dual-nic sensors are displayed in acidlab, they
> show up with a sensor address of "unknown:eth1:eth1".  Does anyone have
> any ideas on how to change this to display the IP address of the
> configured interface (eth0) so I can identify which sensor is generating
> the alerts?
>
> I'm not sure if the fix lies within the snort config, or within the
> acidlab setup, so I thought I'd ask here while digging through
> documentation as well.

> From the manual [0]:

    sensor_name
        Specify your own name for this snort sensor. If you do not specify
        a name one will be generated automatically encoding

You should be able to add that to your db output line on each box to fix
it.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.7


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users