[Snort-users] Fwd: Can we change the documentation for the -c flag please?

James Lay jlay at ...13475...
Thu May 7 21:25:09 EDT 2015

On Fri, 2015-05-08 at 12:11 +1200, adrianc at ...17159... wrote:

> I'd like to report an issue I had with your definition.
> I was trying to get Snort to interoperate with some new tools I could 
> get to read Unified2 format but lost a day or two figuring out how to 
> test the setup on the command-line. Eventually I found that it wasn't 
> reading my configuration file and that I needed to tell it to with the 
> -c option.
> I distinctly reminder getting thrown by the concept of a "Rules File" 
> which the snort command's -h documentation used to describe the option, 
> not knowing that was the same as the configuration file at 
> /etc/snort/snort.conf on Ubuntu.
> Can we please change the documentation for the -c flag to "Use config 
> file <rules>" or "Use Rules (config) File <rules>"? I think that would 
> have been enough to avoid me loosing those days of work.
> Thanks.
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

I'd have to second that now that I look at it:

[19:15:11 gateway:~$] snort --help

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 177) 
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 2014 Cisco and/or its affiliates. All rights
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

USAGE: snort [-options] <filter options>
        -A         Set alert mode: fast, full, console, test or none
(alert file alerts only)
                   "unsock" enables UNIX socket logging (experimental).
        -b         Log packets in tcpdump format (much faster!)
        -B <mask>  Obfuscated IP addresses in alerts and packet dumps
using CIDR mask
        -c <rules> Use Rules File <rules>
        -C         Print out payloads with character data only (no hex)

Someone just starting out is most likely going to look at this and think
"oh, that's my snort.rules or local.rules file".  From the doc/INSTALL

6.) Check your rules file.  By default, step 3 configures Snort for the
    required by the included etc/snort.conf.  You can validate it with:

    src/snort -c etc/snort.conf -T

Even the official docs online at:


state:  "To enable Network Intrusion Detection System (NIDS) mode so
that you don't record every single packet sent down the wire, try this:

    ./snort -dev -l ./log -h -c snort.conf

where snort.conf is the name of your snort configuration file."

That should probably be looked at....what say you Cisco/Sourcefire?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150507/fd72c35c/attachment.html>

More information about the Snort-users mailing list