[Snort-sigs] commandline syntax....

Matt Kettler mkettler at ...189...
Thu Apr 22 09:13:01 EDT 2004


At 06:02 PM 4/21/2004, Ryan Trost wrote:
>I've searched the www.snort.org website, read through Intrusion Detection 
>with Snort by Koziol, and also read through the snort manual.....BUT I 
>still can't find the answer to my questioin.

Ok, next time also read the list descriptions.. use snort-users for general 
questions. This list is signature development (ie: packet trace and attack 
analysis, rule syntax, etc).

>In my reading of documentation, #3.15 Which takes precedence, commandline 
>or rule file ?
>
>The command line always gets precedence over the rules file. If people want to
>try stuff out quickly without having to manually edit the rules file, they
>should be able to override many things from the command line.
>
>Here's my question....
>
>How can someone (from the commandline) add a rule such as:
>
>alert tcp 24.197.27.173 any -> 69.20.37.124 any


You can't add rules on the command line. Period.

The docs are pointing out that for settings which do exist on both the 
command-line and in the config files, such as logging options, the 
command-line will win.

However, not all options exist in both places. One example is rules. Rules 
only exist in the config files. Another is interface selection. Interface 
selection only exists on the command line.


>**Ultimately I'm looking for the alert to trigger when my gateway computer 
>sends a packet request to www.visualbasicforum.com (only URL I could think of).
>
>Is this possible?

Yes, add the rule to local.rules and make sure the local.rules include in 
snort.conf isn't commented out.

Why would you even want to have rules on the command line?

>  Would it be different for Linux vs. Windows?

No. 





More information about the Snort-sigs mailing list