[Snort-users] Lost in the config file

Erek Adams erek at ...577...
Thu Jun 27 00:34:02 EDT 2002


On Wed, 26 Jun 2002, K. A. Steensma wrote:

> This is a very small portion of a old message -
>
> -s xxx.xxx.xxx.xxx:xxx
> *** This works properly ***
>
> I (really) have given the user manual and FAQ a 'pretty good' look and
> can not figure out what the 3 numbers after the colon (:) are for. It
> seems the I have 'skipped' reading a very necessary doc.

Yep, you did.  ;-)  The code!  In the current CVS HEAD branch (1.9dev) at
around 1108 you see:

  1108              case 's':  /* log alerts to syslog */
  1109                  pv.syslog_flag = 1;
  1110                  DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Logging alerts to
s
yslog\n"););
  1111                  /* command line alerting option has been specified,
  1112                   * override the alert options in the config file
  1113                   */
  1114                  pv.alert_cmd_override = 1;
  1115  #ifdef WIN32
  1116                  pv.syslog_remote_flag = 1;
  1117                  toks = mSplit(optarg, ":", 2, &num_toks, 0);
  1118                  strncpy(pv.syslog_server, toks[0], STD_BUF-1);
  1119                  pv.syslog_server_port = (num_toks == 1) ? 514 :
atoi(toks[1]);
  1120                  DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Logging alerts to
syslog server %s on port %d\n",
  1121                                          pv.syslog_server,
pv.syslog_server_port););
  1122  #endif
  1123                  break;


Here in line 1117 you can see where you "split" based on a ":".  Then you use
the second argument as a port number to send to.  If there's not a port
number, make it be 514 (the standard) [line 1119]

Does that help?  :)

> And I'm very mixed up in relating the command line options to the config
> file.  What I mean is; I can add the '-i' command line option to
> designate the interface to watch, but how would I put this into the
> config file instead of on the command line?

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.1.3

Or quite simply:

	config interface: xl0

> Am I missing something or is there no 'search' feature in the mailing
> list archieves at Geocrawler? I really feel like a novice (which I
> really am when it comes to Snort).

Some other archives have already been mentioned, but also check
http://marc.theaimsgroup.com/ .  Searchable and configureable....

Welcome to our world.  Now please step thru the door and we'll start the
un-freezing process.  ;-)  We're all novices about something.  C'mon in and
enjoy!

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list