[Snort-users] basic command

John Sage jsage at ...2022...
Sat Jan 19 13:20:02 EST 2002


Warrick:

I stand corrected!

I hadn't seen that syntax before, at least in the context of *starting* 
snort.

I *do* use that sort of tcpdump/BPF syntax a lot in reading back my -b 
binary log files...

I guess I have just one question: why do you want to start snort that 
way, rather than have it read from snort.conf and read from the rules 
that you can edit more at your leisure?

Is it that this method allow you to have a more selective filtering 
capability?

Does that advantage outweigh the complexity of the command line syntax 
versus the simplicity of binary logging everything, and extracting what 
you want later using -r and tcpdump/BPF syntax then?


- John

-- 
You can never have too many shells



Warrick FitzGerald wrote:

> Paul Slinki explained that it is very similar to tcpdump i.e.,
> 
> snort -dev -l /root/snortlog2 -h 10.10.52.100/32 port 80
> 
> Does exactly what I want. I'm not sure exactly how much you can achieve on
> the command line, but this certainly works to my needs.
> 
> ----- Original Message -----
> From: "John Sage" <jsage at ...2022...>
> To: "Warrick FitzGerald" <wfitzgerald at ...4613...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Friday, January 18, 2002 9:32 PM
> Subject: Re: [Snort-users] basic command
> 
> 
> 
>>umm..
>>
>>This command line has *nothing* to do with logging, alerting or anything
>>like that.
>>
>>No command line does any of that.
>>
>>I'd suggest you familiarize yourself with:
>>
>>http://snort.sourcefire.com/docs/writing_rules/chap2.html#tth_chAp2
>>
>>
>>
>>- John
>>
>>--
>>The web page you seek
>>cannot be found here:
>>countless others await
>>
>>
>>
>>
>>Warrick FitzGerald wrote:
>>
>>
>>>Can someone please explain how I would modify this command line
>>>
> statement so
> 
>>>that it only logs TCP port 80
>>>
>>> snort -dev -l /root/snortlog2 -h 10.10.52.100/32
>>>
>>> Thanks
>>>Warrick







More information about the Snort-users mailing list