NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-04

Re: [Snort-Users] differentiate between eth0 and eth1

From: Alejandro Flores (alejandro.florestriforsec.com.br)
Date: Thu Apr 01 2004 - 18:41:43 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello there,

> Hello snort users!
>
> I am new to snort and have what I am sure is a very simple question at least
> for you folks. I have a single snort box with 2 ethernet cards, and 2 snort
> processes running. I start the process from within the directory where
> snort.conf resides:
>
> /usr/local/bin/snort -i eth0 -D
> /usr/local/bin/snort -i eth1 -D
>
> I am logging very simply to the /var/log/messages file, and would like to know
> if there is a way to differentiate between each interface that is snorting.

Use '-I' (Add Interface name to alert output)

> From what I see in messages it is not obvious to me that I can.
>
> Apr 1 14:54:53 snort1 snort: [1:1917:4] SCAN UPnP service discover attempt
> [Classification: Detection of a Network Scan] [Priority: 3]: {UDP}
> 172.16.45.94:1037 -> 172.16.1.2:1900
>
> What does [1:1917:4] mean/stand for

        If I'm not wrong:
        1 -> Generator ID (the guy who generates the alert, see:
etc/generators)
        1917 -> Signature ID (keyword that identifies the rule "sid: 1917;")
        4 -> Rule revision

Why don't you use ACID to monitor the alerts in 'real-time'?
Sure, you'll need also to install MySQL or PostgreSQL.

Regards,
Alejandro Flores

--TriForSec
http://www.triforsec.com.br/

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]