« Sguil: sensor install gotcha: sancp
ModSecurity: setting up a reverse proxy »

Sguil: full content logging in combination with Snort_inline, revisited

A few days ago i wrote about some challenges that my Snort_inline presented. Especially the full content logging wasn’t working quite as i would have liked. Logging on pseudo device ‘any’ didn’t work right because then the traffic that was NAT-ted was both recorded before NAT and after NAT. The solution I (with help of #snort-gui) came up with was using ‘-i any’ anyway, but exclude my public ip using a BPF filter. Later i saw Joel Esler write the solution in a unrelated problem to someone else. Sometimes solutions can be so simple!

Solution: passing -i eth0:eth1 to snort… Duh! Thanks Joel!

This entry was posted on Sunday, July 30th, 2006 at 7:02 pm and is filed under Sguil, Snort_inline. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Sguil: full content logging in combination with Snort_inline, revisited”

  1. Inliniac » Blog Archive » Sguil: full content logging in combination with Snort_inline, revisited *again* Says:
    February 22nd, 2007 at 12:50 pm

    [...] #snort channel over whether or not passing multiple interface to snort works or not. As a reminder, some time ago i noted that passing two interfaces to snort like this: ’snort -i eth0:eth1′ worked [...]

Leave a Reply