[Snort-users] rules difficulty

Jeremiah Cruit-Salzberg - HQ J at ...1642...
Sun Oct 28 13:45:01 EST 2001


Or better yet just use snort in it's packet logger mode and do something
like:

snort -b -l /var/wherever

You can even add BPF style filters just like in tcpdump and do something
like:

snort -b -l /var/wherever 'net 192.117.88.0/20'

Which will grab anything to or from that network.  You can also grab a whole
BPF file with the -F if you want to make a really complicated filter -
perfect for replacing Shadow.

--j

J Cruit <j at ...1642...>
'Abusus non tolit usum'

>Greg Sarsons <gsarsons at ...530...> writes:
>
> I'm having trouble getting my rule to do what I want.  It is simple all
> I want is to log everything from this range ie see what traffic is
> coming and going from the network.
>
> the range is x.117.88.0 to x.117.95.255
>
> I guess my confusion is over getting the correct HOME_NET and
> EXTERNAL_NET variables.
>
>Try
>
>var $HOME_NET 192.117.88.0/20
>var $EXTERNAL_NET !$HOME_NET
>
>
>If your goal is to do all traffic, I'd just use something like tcpdump
>and then use snort to investigate afterwards.
>-- 
>Chris Green <cmg at ...671...>
>Fame may be fleeting but obscurity is forever.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011028/bde7c2e6/attachment.html>


More information about the Snort-users mailing list