[Snort-users] rules difficulty
Jeremiah Cruit-Salzberg - HQ
J at ...1642...
Sun Oct 28 13:45:01 EST 2001
Or better yet just use snort in it's packet logger mode and do something
snort -b -l /var/wherever
You can even add BPF style filters just like in tcpdump and do something
snort -b -l /var/wherever 'net 220.127.116.11/20'
Which will grab anything to or from that network. You can also grab a whole
BPF file with the -F if you want to make a really complicated filter -
perfect for replacing Shadow.
J Cruit <j at ...1642...>
'Abusus non tolit usum'
>Greg Sarsons <gsarsons at ...530...> writes:
> I'm having trouble getting my rule to do what I want. It is simple all
> I want is to log everything from this range ie see what traffic is
> coming and going from the network.
> the range is x.117.88.0 to x.117.95.255
> I guess my confusion is over getting the correct HOME_NET and
> EXTERNAL_NET variables.
>var $HOME_NET 18.104.22.168/20
>var $EXTERNAL_NET !$HOME_NET
>If your goal is to do all traffic, I'd just use something like tcpdump
>and then use snort to investigate afterwards.
>Chris Green <cmg at ...671...>
>Fame may be fleeting but obscurity is forever.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users