Snort mailing list archives

Re: [Snort-Users] differentiate between eth0 and eth1

From: Alejandro Flores <alejandro.flores () triforsec com br>
Date: Thu, 01 Apr 2004 21:41:43 -0300

        Hello there,

Hello snort users!

I am new to snort and have what I am sure is a very simple question at least 
for you folks.  I have a single snort box with 2 ethernet cards, and 2 snort 
processes running.  I start the process from within the directory where 
snort.conf resides:

/usr/local/bin/snort -i eth0 -D
/usr/local/bin/snort -i eth1 -D

I am logging very simply to the /var/log/messages file, and would like to know 
if there is a way to differentiate between each interface that is snorting.


        Use '-I' (Add Interface name to alert output)

From what I see in messages it is not obvious to me that I can.

Apr  1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt 
[Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 
172.16.45.94:1037 -> 172.16.1.2:1900

What does  [1:1917:4] mean/stand for


        If I'm not wrong:
        1 -> Generator ID (the guy who generates the alert, see:
etc/generators)
        1917 -> Signature ID (keyword that identifies the rule "sid: 1917;")
        4 -> Rule revision

        Why don't you use ACID to monitor the alerts in 'real-time'?
        Sure, you'll need also to install MySQL or PostgreSQL.

Regards,
Alejandro Flores




--TriForSec
http://www.triforsec.com.br/

Current thread:

[Snort-Users] differentiate between eth0 and eth1 eamonn doyle (Apr 01)
- Re: [Snort-Users] differentiate between eth0 and eth1 Alejandro Flores (Apr 01)