Snort mailing list archives
Re: Fwd: Can we change the documentation for the -c flag please?
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 07 May 2015 19:25:09 -0600
On Fri, 2015-05-08 at 12:11 +1200, adrianc () catalyst net nz wrote:
I'd like to report an issue I had with your definition. I was trying to get Snort to interoperate with some new tools I could get to read Unified2 format but lost a day or two figuring out how to test the setup on the command-line. Eventually I found that it wasn't reading my configuration file and that I needed to tell it to with the -c option. I distinctly reminder getting thrown by the concept of a "Rules File" which the snort command's -h documentation used to describe the option, not knowing that was the same as the configuration file at /etc/snort/snort.conf on Ubuntu. Can we please change the documentation for the -c flag to "Use config file <rules>" or "Use Rules (config) File <rules>"? I think that would have been enough to avoid me loosing those days of work. Thanks. ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
I'd have to second that now that I look at it: [19:15:11 gateway:~$] snort --help ,,_ -*> Snort! <*- o" )~ Version 2.9.7.2 GRE (Build 177) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.8 USAGE: snort [-options] <filter options> Options: -A Set alert mode: fast, full, console, test or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). -b Log packets in tcpdump format (much faster!) -B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask -c <rules> Use Rules File <rules> -C Print out payloads with character data only (no hex) Someone just starting out is most likely going to look at this and think "oh, that's my snort.rules or local.rules file". From the doc/INSTALL file: 6.) Check your rules file. By default, step 3 configures Snort for the features required by the included etc/snort.conf. You can validate it with: src/snort -c etc/snort.conf -T Even the official docs online at: http://manual.snort.org/node6.html state: "To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, try this: ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf where snort.conf is the name of your snort configuration file." That should probably be looked at....what say you Cisco/Sourcefire? James
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Can we change the documentation for the -c flag please? adrianc (May 07)
- Re: Fwd: Can we change the documentation for the -c flag please? James Lay (May 07)