[Snort-users] Snort with DHCP

Sadanapalli, Pradeep Kumar (MED, TCS) Pradeep.Sadanapalli at ...8430...
Fri May 2 15:34:10 EDT 2003

Oh I don't want to see the logs in tcpdump format. Now with the
configuration I am running,
snort is generation two files in /var/log/snort. 1) Alert, which lists
the traffic info in an understandable way.
2) snort.log , which has to be decoded to read.

I want all the stuff to go into alert file and not in tcpdump format.
What should I do for that? Will it be enough if I remove the -b option
and keep only -d?

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...]
Sent: Friday, May 02, 2003 5:22 PM
To: Sadanapalli, Pradeep Kumar (MED, TCS)
Cc: Erek Adams; 'David Alonso De La Vega Tapage';
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort with DHCP

On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

> Thanks Erek for your nice explaination. So just to confirm ,if I add
> below lines
> "var HOME_NET $eth0_ADDRESS" in snort.conf, along with other
> configuration lines and
> "/usr/local/bin/snort -i eth0 -l /var/log/snort/ -d -b -c
> /etc/snort/snort.cond -D -p "
> will meet my requirements that
> "running snort to watch the network traffic destined only to my
> and also taking care of the changing IP address
> in DHCP scenario"
> If I am wrong somewhere , please correct me.

Exactly.  You can also modify your command line to be a bit 'better'.
you are logging to binary (unified, pcap, or -b) then -d is a waste of
time.  No need since the packets are dumped as a whole.  You can also
the -p since it doesn't matter.  Only use the -p if you need to.  Since
you are a single node on a DHCP net, then promisc mode does not matter.
You'll still see broadcasts and ARP requests...


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list