[Snort-sigs] RE: commandline syntax
Nick.Foxen at ...2411...
Nick.Foxen at ...2411...
Fri Apr 23 09:04:13 EDT 2004
If your goal is to alert you when someone surfs to
"www.visualbasicforum.com" you should be able to setup your rule to log any
activity going to the website and then run a scheduled task (cron, at,
taskscheduler) to parse the log file looking for your search criteria. Any
data returned (non zero)from a grep or find would indicate you had a hit.
With a condition statement you should then be able to send mail to anyone
you want to saying that someone is being naughty....
Date: Thu, 22 Apr 2004 12:11:43 -0400
To: "Ryan Trost" <trostycp at ...12...>, snort-sigs at lists.sourceforge.net
From: Matt Kettler <mkettler at ...189...>
Subject: Re: [Snort-sigs] commandline syntax....
At 06:02 PM 4/21/2004, Ryan Trost wrote:
>I've searched the www.snort.org website, read through Intrusion Detection
>with Snort by Koziol, and also read through the snort manual.....BUT I
>still can't find the answer to my questioin.
Ok, next time also read the list descriptions.. use snort-users for general
questions. This list is signature development (ie: packet trace and attack
analysis, rule syntax, etc).
>In my reading of documentation, #3.15 Which takes precedence, commandline
>or rule file ?
>The command line always gets precedence over the rules file. If people want
>try stuff out quickly without having to manually edit the rules file, they
>should be able to override many things from the command line.
>Here's my question....
>How can someone (from the commandline) add a rule such as:
>alert tcp 126.96.36.199 any -> 188.8.131.52 any
You can't add rules on the command line. Period.
The docs are pointing out that for settings which do exist on both the
command-line and in the config files, such as logging options, the
command-line will win.
However, not all options exist in both places. One example is rules. Rules
only exist in the config files. Another is interface selection. Interface
selection only exists on the command line.
>**Ultimately I'm looking for the alert to trigger when my gateway computer
>sends a packet request to www.visualbasicforum.com (only URL I could think
>Is this possible?
Yes, add the rule to local.rules and make sure the local.rules include in
snort.conf isn't commented out.
Why would you even want to have rules on the command line?
> Would it be different for Linux vs. Windows?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs