Snort Instance

[Nicholas Horton <fivetenets () me com>]

Is is possible to start a second command line instance of snort and log sniffer results to easily show unique sources?

More specially I want to capture in sniffer mode and be able to view the data easily and quickly by source IP. 

For example I want to know any source that is coming in via FTP to a few servers. So I have:

"Snort -dev -i eth1 ip host 10.10.10.2 or ip host 10.10.10.3 or ip host 10.10.10.4 and port 21 ./log"

This works but trying to view the unique sources is a bit overwhelming and tedious because of all the log entries. 

Is there a way to only capture unique sources or just limit the entires to one alert or pull from this pcap unique 
sources in this sniffer command line mode?

I want to easily show these sources are FTP'ing to your servers.

I right now I'm manually scrolling and trying to make a list from the pcap.

My service snort has threshold.conf etc which is still running but I want to do a second instance for just a on the fly 
sniffer capture process that I start and and stop all while leaving my service snort untouched.

Thanks!
Nick
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!