[Snort-users] Snort in IDS mode

Russ rucombs at ...589...
Mon Aug 17 08:24:50 EDT 2015

On 8/16/15 8:26 PM, aman mangal wrote:
> Thank you so much Russ. I just didn't see an example and could not 
> make that out.
Sure; we will add that example to the usage section.
> I was also wondering if there is a way to test that the rules do work. 
> Is there a way I can test my setup by creating an abnormal network 
> behaviour and see snort reporting the abnormality?
This is a very broad question so I'll give a broad answer.  You can 
follow up with specifics if needed and I'm sure someone on the list can 
help you out.

If you want to test rules, it is easier to do with a pcap.  You can use 
the dump DAQ to run inline if needed.

If you want to test your inline network setup between endpoints through 
Snort, you could replay the same pcaps from above.

You could also start with simple test rules that alert on the presence 
of traffic.  For example, you can alert on icmp and then run a ping 
through your sensor.  Or alert on tcp and run an http query through your 
> Aman
> On Tue, Aug 11, 2015 at 8:30 AM Russ <rucombs at ...589... 
> <mailto:rucombs at ...589...>> wrote:
>     Hi Aman,
>     You can use the -i flag to get live traffic like this:
>         snort -i "en0 en1" -z 2 ...
>     This will open both interfaces on separate packet threads. To see
>     other options you may want:
>         snort -?
>     Hope that helps.
>     Russ
>     On 8/11/15 12:22 AM, aman mangal wrote:
>>     Hi,
>>     My name is Aman, I am a first year PhD student at Georgia Tech,
>>     USA. I want to use /snort3 /for my research purposes and would
>>     like to run it in IDS mode with more than one thread.
>>     I am not able to figure out how to run snort in IDS mode without
>>     /-r /flag and instead, capturing all the packets live. Please
>>     help me out.
>>     Thank you
>>     Aman Mangal
>>     ------------------------------------------------------------------------------
>>     _______________________________________________
>>     Snort-users mailing list
>>     Snort-users at lists.sourceforge.net
>>     <mailto:Snort-users at lists.sourceforge.net>
>>     Go to this URL to change user options or unsubscribe:
>>     https://lists.sourceforge.net/lists/listinfo/snort-users
>>     Snort-users list archive:
>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150817/70dc3bce/attachment.html>

More information about the Snort-users mailing list