Re: New member, 3 quick questions

[Joel Esler <jesler () sourcefire com>]

On Sun, Jul 5, 2009 at 9:10 PM, Paul Melson <pmelson () gmail com> wrote:

> On Sun, Jul 5, 2009 at 7:30 PM, r s<wera711 () gmail com> wrote:
> > 1.  what is the most common way to run snort? I have been running it as
> > such:
> > ./snort -de -h 192.168.3.0/24 -c
> > /usr/ports/security/snort/work/snort-2.8.2.2/etc/snort.conf
> >
> > I normally keep a separate session open with a tail -f
> /var/log/snort/alert
> > Is there a better way to do this? I have heard you can run snort as a
> daemon
> > so that it runs in the background. If I do it this way, will it still
> > continue to run if I close the session? Do I simply append a "-D" at the
> end
> > of my command line to run it in the background?
>
> Yes, appending -D will run Snort in daemon mode and log stdout to
> syslog.  I prefer to run it from an init.d script so that it
> automatically starts at boot time and can be properly shut down by the
> operating system.  The one I use is based on Dave Dittrich's from hist
> batch of Snort scripts:
> http://staff.washington.edu/dittrich/misc/snort-stuff.tar  Running on
> BSD, your mileage may vary.  If I recall correctly, OpenBSD, for
> example, locks you into launching stuff from rc.local.
>
> However, if you are running in "-c" or ids mode, there is no need to use
"-d" or "-e".

You also need to put your HOME_NET in your snort.conf, and not try and
specify it via the command line using "-h".

J



-- 
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users