Snort mailing list archives
[Snort-Users] differentiate between eth0 and eth1 in logs
From: eamonn doyle <edoyle () faxsr com>
Date: Thu, 1 Apr 2004 18:03:04 -0500
Hello snort users!
I am new to snort and have what I am sure is a very simple question at least
for you folks. I have a single snort box with 2 ethernet cards, and 2 snort
processes running. I start the process from within the directory where
snort.conf resides:
/usr/local/bin/snort -i eth0 -D
/usr/local/bin/snort -i eth1 -D
I am logging very simply to the /var/log/messages file, and would like to
know if there is a way to differentiate between each interface that is
snorting. From what I see in /var/log/messages it is not obvious to me that I
can.
Apr 1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt
[Classification: Detection of a Network Scan] [Priority: 3]: {UDP}
172.16.45.94:1037 -> 172.16.1.2:1900
What does [1:1917:4] mean/stand for
I run some simple bash scripts to parse the files every hour and report back
on priority 1 entries.
My network is very simple, the 2 nics are watching 2 t-1 circuits from
different providers, one feeds through a 2611 the other through a 3640 + PIX.
There is a hub after the 2611 and PIX and in each hub is one of the snort
interfaces. Each path is then passed on to a switch and users define which
path they take with their default route, either 172.16.1.1(eth1) or
172.16.1.2 (eth0)
snort system is default 2.1.2 running on a P IV with 1 gig of memory, linux
2.4.20 flavor is suse 8.2
Thanks for any and all help,
Eamonn
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Snort-Users] differentiate between eth0 and eth1 in logs eamonn doyle (Apr 01)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Jim Hendrick (Apr 02)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Matt Kettler (Apr 02)
- Re: [Snort-Users] differentiate between eth0 and eth1 in logs Edin Dizdarevic (Apr 02)
- Re: [Snort-Users] differentiate between eth0 and eth1 in logs eamonn doyle (Apr 02)
- RE: [Snort-Users] differentiate between eth0 and eth1 in logs Jim Hendrick (Apr 02)