Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Instance

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Oct 2013 12:58:41 -0600
On 2013-10-30 12:38, Nicholas Horton wrote:

Is is possible to start a second command line instance of snort and
log sniffer results to easily show unique sources?

More specially I want to capture in sniffer mode and be able to view
the data easily and quickly by source IP.

For example I want to know any source that is coming in via FTP to a
few servers. So I have:

"Snort -dev -i eth1 ip host 10.10.10.2 or ip host 10.10.10.3 or ip
host 10.10.10.4 and port 21 ./log"

This works but trying to view the unique sources is a bit
overwhelming and tedious because of all the log entries.

Is there a way to only capture unique sources or just limit the
entires to one alert or pull from this pcap unique sources in this
sniffer command line mode?

I want to easily show these sources are FTP'ing to your servers.

I right now I'm manually scrolling and trying to make a list from the 
pcap.

My service snort has threshold.conf etc which is still running but I
want to do a second instance for just a on the fly sniffer capture
process that I start and and stop all while leaving my service snort
untouched.

Thanks!
Nick


Are you wanting to see the actual packet data, or just something like a 
connection log?

James

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: