Re: running snort as packet logger and nids simultaneously

[Bamm Visscher <bamm.visscher () gmail com>]

Actually, you probably want to use log rules not alert rules.  I doubt
you'll want to see an alert for every packet snort sees. And since you
use binary logging (-b), the perf impact should be minimal.

Just do

log ip any any -> any any;


Bammkkkk


On 6/7/05, Metal Gear <finattack () gmail com> wrote:
> Thanks,
>  
>  
>
> On 6/7/05, Joel Esler <eslerj () gmail com> wrote:
> > Either way you're going to end up with the same result.
> >
> > Write three rules
> >
> > alert tcp any any -> any any (msg:"TCP Capture";)
> > alert udp any any -> any any (msg:"Udp capture";)
> > alert icmp any any -> any any (msg:"ICMP capture";) 
> >
> > then restart snort.
> >
> > On 6/7/05, Metal Gear <finattack () gmail com> wrote:
> > > the reasone i opted for that is due to very small size of the network
> i.e
> > > only 5 computers on that. 
> >
> >
> > --
> > Joel Esler
> > BASE Project Lead
> > http://sourceforge.net/projects/secureideas
>
>  


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users