Snort mailing list archives
Re: new install rules question - solaris
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 5 Nov 2002 14:39:14 -0800 (PST)
On Tue, 5 Nov 2002, Dan Gahlinger wrote:
snort -h 192.168.1.0/24 -s blame_cmg net 192.168.1 doesn't work, cant find .snortrc
Upon startup snort looks for a few files. $HOME/.snortrc $HOME/snort.conf /etc/snort.conf ./snort.conf ./.snortrc If you want your command line to work, create a snort.conf or .snortrc in one of those locations. I would suggest copying the snort.conf from the <snort_source_dir>/etc/ into /etc/ and editing it to reflect your local net. The file is well commented, and should be fairly self-explanatory. Be sure to change your $HOME_NET and $EXTERNAL_NET, and check any listing of IP's in the file. Now, if you do _only_ that, it's going to fail. :) You also need rules for it to alert off of. I suggest the following: mkdir /etc/snort mkdir /etc/snort/rules cp <snort_dir>/etc/snort.conf /etc/snort/snort.conf ln -s /etc/snort/snort.conf /etc/snort.conf cp <snort_dir>/rules/* /etc/snort/rules/ vi /etc/snort.conf (make whatever changes needed) And then you should be good to go with something like: snort -s blame_cmg "net 192.168.1.0/24" The -h is not really needed since it deals with the way packets are logged to disk using text logging and not syslog. And if you're clever, you can configure the syslog output plugin in the .conf file so that your command line would drop to: snort "net 192.168.1.0/24" Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Chris Green (Nov 05)
- Re: new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Andrew R. Baker (Nov 05)
- Re: new install rules question - solaris Chris Green (Nov 05)
- Re: new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Erek Adams (Nov 05)
- Re: new install rules question - solaris Dan Gahlinger (Nov 06)
- Re: new install rules question - solaris Erek Adams (Nov 06)
- Re: new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Chris Green (Nov 05)
- <Possible follow-ups>
- RE: new install rules question - solaris larosa, vjay (Nov 06)
- RE: new install rules question - solaris Dan Gahlinger (Nov 06)