Re: About syslog messages in snort

[Robert Millott <robm () millottandassociates com>]

Yes, but you can set a unique id to events from each individual snort
instance.  I don't have the code in front of me, but you can start one
instance of snort like:

snort -c snort.conf -G01
and the second as
snort -c snort2.conf -G02

Then the alerts from each instance will have that 01 or 02 in the alerts.

How you separate them, and what you do once you have them identified, I'm
not sure, but at least this lets you identify which alert came from which
instance


On Fri, Nov 21, 2014 at 8:47 AM, C. L. Martinez <carlopmart () gmail com>
wrote:

> Thanks Robert, but according to snort's docs -G flag it is for eventid
> generated by one sensor ... Right??
>
> On Fri, Nov 21, 2014 at 1:22 PM, Robert Millott
> <robm () millottandassociates com> wrote:
> > Check out the -G option for starting snort.
> >
> > Also google it. I had some problems with it a few months back, but
> finally
> > got it figured out. I think I posted the results, but if you need some
> more
> > help, I can share what I've done.
> >
> > On Fri, Nov 21, 2014 at 2:34 AM, C. L. Martinez <carlopmart () gmail com>
> > wrote:
> > > Hi all
> > >
> > >  I have installed two snort instances in one host (both are snort
> > > 2.9.7.0). One snort instance has so_rules only and the other instance
> > > the rest of the rules.
> > >
> > >  Ok. I need to differentiate syslog messages between these snort
> > > processes using, for example, a specific entry like "snort_so-sensor1"
> > > or "snort-sensor2" and, if it is possible, redirect all snort's syslog
> > > entries to a different log file.
> > >
> > >  Exists some option when snort starts or inside conf file to do this??
> > >
> > >  I don't see anything about this in snort docs.
> > >
> > >  Thanks.
> ------------------------------------------------------------------------------
> > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > > with Interactivity, Sharing, Native Excel Exports, App Integration &
> more
> > > Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > > news!
> >
> >
> >
> >
> > --
> > Robert Millott
> > President, Millott and Associates
> > (443) 255-3588
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Robert Millott
President, Millott and Associates
(443) 255-3588

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!