[Snort-sigs] commandline syntax....
mkettler at ...189...
Thu Apr 22 09:13:01 EDT 2004
At 06:02 PM 4/21/2004, Ryan Trost wrote:
>I've searched the www.snort.org website, read through Intrusion Detection
>with Snort by Koziol, and also read through the snort manual.....BUT I
>still can't find the answer to my questioin.
Ok, next time also read the list descriptions.. use snort-users for general
questions. This list is signature development (ie: packet trace and attack
analysis, rule syntax, etc).
>In my reading of documentation, #3.15 Which takes precedence, commandline
>or rule file ?
>The command line always gets precedence over the rules file. If people want to
>try stuff out quickly without having to manually edit the rules file, they
>should be able to override many things from the command line.
>Here's my question....
>How can someone (from the commandline) add a rule such as:
>alert tcp 18.104.22.168 any -> 22.214.171.124 any
You can't add rules on the command line. Period.
The docs are pointing out that for settings which do exist on both the
command-line and in the config files, such as logging options, the
command-line will win.
However, not all options exist in both places. One example is rules. Rules
only exist in the config files. Another is interface selection. Interface
selection only exists on the command line.
>**Ultimately I'm looking for the alert to trigger when my gateway computer
>sends a packet request to www.visualbasicforum.com (only URL I could think of).
>Is this possible?
Yes, add the rule to local.rules and make sure the local.rules include in
snort.conf isn't commented out.
Why would you even want to have rules on the command line?
> Would it be different for Linux vs. Windows?
More information about the Snort-sigs