Snort mailing list archives
Re: Showing dump of only matched paquets.
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 22 Mar 2011 20:42:35 -0400
Dump mode is just that, all packets are dumped to console. In IDS mode, packets that match rules cause events and/or logging. -A cmg outputs events to console. Both display packets in hex. This is a simplified explanation. Check the manual for more. On Tue, Mar 22, 2011 at 8:12 PM, ab1197590 () gmail com <ab1197590 () gmail com>wrote:
I meant to specify an expression to snort at the end of your snort command. The IDS mode suggestion sounds like a better way, thanks Russ :) What does the cmg represent for alert-mode though? Doesn't -dve dump everything, and by extension the hex? On Tue, Mar 22, 2011 at 7:21 PM, Gustavo Guillermo Perez <gustavo () compunauta com> wrote:El Martes 22 Marzo 2011, ab1197590 () gmail com escribió:Does it work as you would have hoped if you specify an expression?No :S the expression is: log tcp any any -> any any (pcre:"/^(GET|POST)/"; msg:"::::";sid:2000123;rev:1;) and snort dumps in the log just only packets matched but on screen all packets. snort -dve -c myrule.txt -i br0 Yes all matched packets are in /var/log/snort.log.xxxxxx but on screenallpackets are dumped, is there any way to dump on screen only matchedpackets?.Best regards in advance.From the man page:expression selects which packets will be dumped. If noexpressionis given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. On Sat, Mar 19, 2011 at 7:27 PM, Gustavo Guillermo Perez <gustavo () compunauta com> wrote:Hello dear list, I'm trying to setup snort to make a little sniffer,andI need something like -dv but only with the rules matched not wit all the paquets. The rules works so fine and logs into the log file excellent and I can read the log with -dv -r /var/log/snort/snort.logxxxx wit only matched packets but not in realtime, there is any way to do this in realtime?, it means to show the HEX output with all info but only with mached packets? Best regards in advance. -- Gustavo Guillermo Perez http://www.compunauta.com http://www.compunauta.net http://anuncios.compunauta.net------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology tomeetthe growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Gustavo Guillermo Perez http://www.compunauta.com http://www.compunauta.net http://anuncios.compunauta.net------------------------------------------------------------------------------Enable your software for Intel(R) Active Management Technology to meetthegrowing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will yoursoftwarebe a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Showing dump of only matched paquets. Gustavo Guillermo Perez (Mar 19)
- Re: Showing dump of only matched paquets. ab1197590 () gmail com (Mar 22)
- Re: Showing dump of only matched paquets. Russ Combs (Mar 22)
- Re: Showing dump of only matched paquets. Gustavo Guillermo Perez (Mar 22)
- Re: Showing dump of only matched paquets. Gustavo Guillermo Perez (Mar 22)
- Re: Showing dump of only matched paquets. Russ Combs (Mar 22)
- Re: Showing dump of only matched paquets. Gustavo Guillermo Perez (Mar 22)
- Re: Showing dump of only matched paquets. Russ Combs (Mar 22)
- Re: Showing dump of only matched paquets. ab1197590 () gmail com (Mar 22)
- Re: Showing dump of only matched paquets. Russ Combs (Mar 22)
- Re: Showing dump of only matched paquets. ab1197590 () gmail com (Mar 22)