I'd try this list.
Has anyone had any experience with Cisco Access Lists and Snort's LogSnorter.
I've been trying and all I'm having is problems.
Everytime I run the log snorter it comes back with
logsnorter: Error line 1. Cisco error line 1: doesn't match known type: Nov 12 00:11:03 c4700 3062: *Nov 12 00:09:21 EST: %SEC-6-IPACCESSLOGP: list 185 denied tcp XX.XX.XXX.XXX(52076) -> YY.YY.YYY.YYY(135), 2 packets
(obviously the XX and YY would normally be ip's)
and does this for every line.. suggestions ?
I'm a little bit of a newbie to snort ... but my config for the logsnorter has this..
$db_server = 'localhost'; $db_database = 'IDS'; $db_usercode = 'USER'; $db_password = 'XXXXXXXXXX';
$DB_TYPE="mysql";
$cisco_interface['c4700',185]="Ethernet0";
where the interface that my access list is on is eth0 and the access lists is 185. c4700 I assumed as the name that shows in the routers logs files. ???
I have a sneaky feeling that between when this was written and now cisco has changed they're logging and this is making the parse of the log incorrect, however I'm not good enough with parsing and scripting to figure out how to fix it .
Suggestions/help would be much appreciated..
Dave
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
