Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[Snort-Users] differentiate between eth0 and eth1

From: eamonn doyle <edoyle () faxsr com>
Date: Thu, 1 Apr 2004 15:23:07 -0500

Hello snort users!

I am new to snort and have what I am sure is a very simple question at least 
for you folks.  I have a single snort box with 2 ethernet cards, and 2 snort 
processes running.  I start the process from within the directory where 
snort.conf resides:

/usr/local/bin/snort -i eth0 -D
/usr/local/bin/snort -i eth1 -D

I am logging very simply to the /var/log/messages file, and would like to know 
if there is a way to differentiate between each interface that is snorting.  
From what I see in messages it is not obvious to me that I can.

Apr  1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt 
[Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 
172.16.45.94:1037 -> 172.16.1.2:1900

What does  [1:1917:4] mean/stand for

I run some simple bash scripts to parse the files every hour and report back 
on priority 1 entries.

My network is very simple, the 2 nics are watching 2 t-1 circuits from 
different providers:

 network diagram in very lame ascii art format, I hope it comes out readable.
 
        cloud                                                           cloud
        internet1                                               internet2
        t-1                                                             t-1
          |                                                              |
          |                                                               |
          cisco                                                         cisco
          2611                                                          3640
          172.16.1.1                                             |
          |                                                              |
          |                  snort-box                           |
          |  172.16.2.59-eth0 172.16.2.60-eth1    |
          |                      |       |                              PIX
          |                      |       |                              172.16.1.2
          |                      |       |                              |
          hub--------------|       |----------------------hub
          |                                                              |
          |_____________         _________________|
                                 |        |
                               48 port Switch
                               | | | | | | | |
                               | | | | | | | |
                               the network
                               172.16.0.0
 
Thanks [Slan] for any and all help,
Eamonn



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: