[Snort-users] running snort as packet logger and nids simultaneously

Bamm Visscher bamm.visscher at ...11827...
Tue Jun 7 05:56:48 EDT 2005


Actually, you probably want to use log rules not alert rules.  I doubt
you'll want to see an alert for every packet snort sees. And since you
use binary logging (-b), the perf impact should be minimal.

Just do

log ip any any -> any any;


Bammkkkk


On 6/7/05, Metal Gear <finattack at ...11827...> wrote:
> Thanks,
>  
>  
> 
> On 6/7/05, Joel Esler <eslerj at ...11827...> wrote:
> > Either way you're going to end up with the same result.
> > 
> > Write three rules
> > 
> > alert tcp any any -> any any (msg:"TCP Capture";)
> > alert udp any any -> any any (msg:"Udp capture";)
> > alert icmp any any -> any any (msg:"ICMP capture";) 
> > 
> > then restart snort.
> > 
> > On 6/7/05, Metal Gear <finattack at ...11827...> wrote:
> > > the reasone i opted for that is due to very small size of the network
> i.e
> > > only 5 computers on that. 
> > >
> > 
> > 
> > --
> > Joel Esler
> > BASE Project Lead
> > http://sourceforge.net/projects/secureideas
> > 
> 
>  


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list