Snort mailing list archives
Re: basic command
From: "Warrick FitzGerald" <wfitzgerald () livetechnology com>
Date: Sat, 19 Jan 2002 16:30:43 -0500
You're right, you do have a lot more flexibility where using the rule files, however in my specific application I was sniffing, and Logging data from a number of different users and got sick of changing the files, it was easier to modify the command line, as I did not need a complex rule set. Thanks Warrick ----- Original Message ----- From: "John Sage" <jsage () finchhaven com> To: "Warrick FitzGerald" <wfitzgerald () livetechnology com> Cc: <snort-users () lists sourceforge net> Sent: Saturday, January 19, 2002 4:19 PM Subject: Re: [Snort-users] basic command
Warrick: I stand corrected! I hadn't seen that syntax before, at least in the context of *starting* snort. I *do* use that sort of tcpdump/BPF syntax a lot in reading back my -b binary log files... I guess I have just one question: why do you want to start snort that way, rather than have it read from snort.conf and read from the rules that you can edit more at your leisure? Is it that this method allow you to have a more selective filtering capability? Does that advantage outweigh the complexity of the command line syntax versus the simplicity of binary logging everything, and extracting what you want later using -r and tcpdump/BPF syntax then? - John -- You can never have too many shells Warrick FitzGerald wrote:Paul Slinki explained that it is very similar to tcpdump i.e., snort -dev -l /root/snortlog2 -h 10.10.52.100/32 port 80 Does exactly what I want. I'm not sure exactly how much you can achieve
on
the command line, but this certainly works to my needs. ----- Original Message ----- From: "John Sage" <jsage () finchhaven com> To: "Warrick FitzGerald" <wfitzgerald () livetechnology com> Cc: <snort-users () lists sourceforge net> Sent: Friday, January 18, 2002 9:32 PM Subject: Re: [Snort-users] basic commandumm.. This command line has *nothing* to do with logging, alerting or anything like that. No command line does any of that. I'd suggest you familiarize yourself with: http://snort.sourcefire.com/docs/writing_rules/chap2.html#tth_chAp2 - John -- The web page you seek cannot be found here: countless others await Warrick FitzGerald wrote:Can someone please explain how I would modify this command linestatement sothat it only logs TCP port 80 snort -dev -l /root/snortlog2 -h 10.10.52.100/32 Thanks Warrick
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- basic command Warrick FitzGerald (Jan 18)
- Re: basic command John Sage (Jan 18)
- Re: basic command Warrick FitzGerald (Jan 19)
- Re: basic command John Sage (Jan 19)
- Re: basic command Warrick FitzGerald (Jan 19)
- Re: basic command Warrick FitzGerald (Jan 19)
- Re: basic command John Sage (Jan 18)
- Re: basic command Guillaume (Jan 19)