[Snort-users] IDS

Al Lewis (allewi) allewi at cisco.com
Mon Jul 10 11:58:56 EDT 2017


You can read pcaps with the -r

Check out the manual or use the -? flag for options.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Justin Pederson <jpedersm at gmail.com<mailto:jpedersm at gmail.com>>
Date: Monday, July 10, 2017 at 11:43 AM
To: allewi <allewi at cisco.com<mailto:allewi at cisco.com>>
Cc: "Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>" <Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>>
Subject: Re: [Snort-users] IDS

I just grabbed a file from packettotal.  Is there any way to run it against my current rules set to see if it triggers anything?

On Mon, Jul 10, 2017 at 10:37 AM, Al Lewis (allewi) <allewi at cisco.com<mailto:allewi at cisco.com>> wrote:
“Best” would depend on what you are trying to do.

If you are “tweaking/tuning/learning/testing” etc .. rules then a pcap definitely works better than trying to use live traffic.

Even with live traffic you may want to log things in binary format that alert.

Then come back and analyze them later.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of Justin Pederson via Snort-users <Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>>
Reply-To: Justin Pederson <jpedersm at gmail.com<mailto:jpedersm at gmail.com>>
Date: Monday, July 10, 2017 at 11:15 AM
To: "Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>" <Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>>
Subject: [Snort-users] IDS

What is the best way to set snort up?  Either have it just look at the live packets as they come in or to form a pcap then to look into the pcap?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170710/27eb47fe/attachment.html>


More information about the Snort-users mailing list