Snort mailing list archives
Re: IDS
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 10 Jul 2017 15:37:44 +0000
“Best” would depend on what you are trying to do. If you are “tweaking/tuning/learning/testing” etc .. rules then a pcap definitely works better than trying to use live traffic. Even with live traffic you may want to log things in binary format that alert. Then come back and analyze them later. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Justin Pederson via Snort-users <Snort-users () lists snort org<mailto:Snort-users () lists snort org>> Reply-To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>> Date: Monday, July 10, 2017 at 11:15 AM To: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <Snort-users () lists snort org<mailto:Snort-users () lists snort org>> Subject: [Snort-users] IDS What is the best way to set snort up? Either have it just look at the live packets as they come in or to form a pcap then to look into the pcap?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!