[Snort-users] running snort as packet logger and nids simultaneously
bamm.visscher at ...11827...
Tue Jun 7 05:56:48 EDT 2005
Actually, you probably want to use log rules not alert rules. I doubt
you'll want to see an alert for every packet snort sees. And since you
use binary logging (-b), the perf impact should be minimal.
log ip any any -> any any;
On 6/7/05, Metal Gear <finattack at ...11827...> wrote:
> On 6/7/05, Joel Esler <eslerj at ...11827...> wrote:
> > Either way you're going to end up with the same result.
> > Write three rules
> > alert tcp any any -> any any (msg:"TCP Capture";)
> > alert udp any any -> any any (msg:"Udp capture";)
> > alert icmp any any -> any any (msg:"ICMP capture";)
> > then restart snort.
> > On 6/7/05, Metal Gear <finattack at ...11827...> wrote:
> > > the reasone i opted for that is due to very small size of the network
> > > only 5 computers on that.
> > >
> > --
> > Joel Esler
> > BASE Project Lead
> > http://sourceforge.net/projects/secureideas
sguil - The Analyst Console for NSM
More information about the Snort-users