[Snort-users] Snort with DHCP

Sadanapalli, Pradeep Kumar (MED, TCS) Pradeep.Sadanapalli at ...8430...
Fri May 2 15:34:10 EDT 2003


Oh I don't want to see the logs in tcpdump format. Now with the
configuration I am running,
snort is generation two files in /var/log/snort. 1) Alert, which lists
the traffic info in an understandable way.
2) snort.log , which has to be decoded to read.

I want all the stuff to go into alert file and not in tcpdump format.
What should I do for that? Will it be enough if I remove the -b option
and keep only -d?



-----Original Message-----
From: Erek Adams [mailto:erek at ...950...]
Sent: Friday, May 02, 2003 5:22 PM
To: Sadanapalli, Pradeep Kumar (MED, TCS)
Cc: Erek Adams; 'David Alonso De La Vega Tapage';
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort with DHCP


On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

> Thanks Erek for your nice explaination. So just to confirm ,if I add
the
> below lines
>
> "var HOME_NET $eth0_ADDRESS" in snort.conf, along with other
> configuration lines and
>
> "/usr/local/bin/snort -i eth0 -l /var/log/snort/ -d -b -c
> /etc/snort/snort.cond -D -p "
>
> will meet my requirements that
> "running snort to watch the network traffic destined only to my
machine
> and also taking care of the changing IP address
> in DHCP scenario"
>
> If I am wrong somewhere , please correct me.

Exactly.  You can also modify your command line to be a bit 'better'.
If
you are logging to binary (unified, pcap, or -b) then -d is a waste of
time.  No need since the packets are dumped as a whole.  You can also
drop
the -p since it doesn't matter.  Only use the -p if you need to.  Since
you are a single node on a DHCP net, then promisc mode does not matter.
You'll still see broadcasts and ARP requests...

Cheers!


-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list