[Snort-sigs] RE: commandline syntax

Nick.Foxen at ...2411... Nick.Foxen at ...2411...
Fri Apr 23 09:04:13 EDT 2004


If your goal is to alert you when someone surfs to
"www.visualbasicforum.com" you should be able to setup your rule to log any
activity going to the website and then run a scheduled task (cron, at,
taskscheduler) to parse the log file looking for your search criteria. Any
data returned (non zero)from a grep or find would indicate you had a hit.
With a condition statement you should then be able to send mail to anyone
you want to saying that someone is being naughty....

Nick Foxen


--__--__--

Message: 1
Date: Thu, 22 Apr 2004 12:11:43 -0400
To: "Ryan Trost" <trostycp at ...12...>, snort-sigs at lists.sourceforge.net
From: Matt Kettler <mkettler at ...189...>
Subject: Re: [Snort-sigs] commandline syntax....

At 06:02 PM 4/21/2004, Ryan Trost wrote:
>I've searched the www.snort.org website, read through Intrusion Detection 
>with Snort by Koziol, and also read through the snort manual.....BUT I 
>still can't find the answer to my questioin.

Ok, next time also read the list descriptions.. use snort-users for general 
questions. This list is signature development (ie: packet trace and attack 
analysis, rule syntax, etc).

>In my reading of documentation, #3.15 Which takes precedence, commandline 
>or rule file ?
>
>The command line always gets precedence over the rules file. If people want
to
>try stuff out quickly without having to manually edit the rules file, they
>should be able to override many things from the command line.
>
>Here's my question....
>
>How can someone (from the commandline) add a rule such as:
>
>alert tcp 24.197.27.173 any -> 69.20.37.124 any


You can't add rules on the command line. Period.

The docs are pointing out that for settings which do exist on both the 
command-line and in the config files, such as logging options, the 
command-line will win.

However, not all options exist in both places. One example is rules. Rules 
only exist in the config files. Another is interface selection. Interface 
selection only exists on the command line.


>**Ultimately I'm looking for the alert to trigger when my gateway computer 
>sends a packet request to www.visualbasicforum.com (only URL I could think
of).
>
>Is this possible?

Yes, add the rule to local.rules and make sure the local.rules include in 
snort.conf isn't commented out.

Why would you even want to have rules on the command line?

>  Would it be different for Linux vs. Windows?

No. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040423/426fa1fb/attachment.html>


More information about the Snort-sigs mailing list