[Snort-users] basic command

Warrick FitzGerald wfitzgerald at ...4613...
Sat Jan 19 13:35:02 EST 2002


You're right, you do have a lot more flexibility where using the rule files,
however in my specific application I was sniffing, and Logging data from a
number of different users and got sick of changing the files, it was easier
to modify the command line, as I did not need a complex rule set.

Thanks
Warrick
----- Original Message -----
From: "John Sage" <jsage at ...2022...>
To: "Warrick FitzGerald" <wfitzgerald at ...4613...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Saturday, January 19, 2002 4:19 PM
Subject: Re: [Snort-users] basic command


> Warrick:
>
> I stand corrected!
>
> I hadn't seen that syntax before, at least in the context of *starting*
> snort.
>
> I *do* use that sort of tcpdump/BPF syntax a lot in reading back my -b
> binary log files...
>
> I guess I have just one question: why do you want to start snort that
> way, rather than have it read from snort.conf and read from the rules
> that you can edit more at your leisure?
>
> Is it that this method allow you to have a more selective filtering
> capability?
>
> Does that advantage outweigh the complexity of the command line syntax
> versus the simplicity of binary logging everything, and extracting what
> you want later using -r and tcpdump/BPF syntax then?
>
>
> - John
>
> --
> You can never have too many shells
>
>
>
> Warrick FitzGerald wrote:
>
> > Paul Slinki explained that it is very similar to tcpdump i.e.,
> >
> > snort -dev -l /root/snortlog2 -h 10.10.52.100/32 port 80
> >
> > Does exactly what I want. I'm not sure exactly how much you can achieve
on
> > the command line, but this certainly works to my needs.
> >
> > ----- Original Message -----
> > From: "John Sage" <jsage at ...2022...>
> > To: "Warrick FitzGerald" <wfitzgerald at ...4613...>
> > Cc: <snort-users at lists.sourceforge.net>
> > Sent: Friday, January 18, 2002 9:32 PM
> > Subject: Re: [Snort-users] basic command
> >
> >
> >
> >>umm..
> >>
> >>This command line has *nothing* to do with logging, alerting or anything
> >>like that.
> >>
> >>No command line does any of that.
> >>
> >>I'd suggest you familiarize yourself with:
> >>
> >>http://snort.sourcefire.com/docs/writing_rules/chap2.html#tth_chAp2
> >>
> >>
> >>
> >>- John
> >>
> >>--
> >>The web page you seek
> >>cannot be found here:
> >>countless others await
> >>
> >>
> >>
> >>
> >>Warrick FitzGerald wrote:
> >>
> >>
> >>>Can someone please explain how I would modify this command line
> >>>
> > statement so
> >
> >>>that it only logs TCP port 80
> >>>
> >>> snort -dev -l /root/snortlog2 -h 10.10.52.100/32
> >>>
> >>> Thanks
> >>>Warrick
>
>
>
>





More information about the Snort-users mailing list