Snort mailing list archives
Re: how to use expressions on a stealth interface
From: Erek Adams <erek () snort org>
Date: Wed, 26 Mar 2003 17:40:48 -0500 (EST)
On Wed, 26 Mar 2003, Thomas Uczekaj wrote:
I have setup an interface in stealth mode (no IP assigned to the interface, the switch port has been setup to do spanning so I can see all traffic on the subnet). When I run snort in sniffer mode (snort -i intf1 -ve net 10.67.2.0/24), the expression syntax to filter the data does not work. It doesn't seem to recognize any of the data as normal IP. However, when I run it without any expressions (snort -i intf1 -ve), statistics report back about pct's for TCP/UDP/.....etc). Similarly, tcpdump cannot use expressions to filter the data. Does anyone have an idea of using either of these tools to make this happen?
It works for me with both Snort and tcpdump. I have the feeling your troubles are coming from your shell and not from the programs. Try: snort <options> 'net 10.67.2.0/24' And see what you get. :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to use expressions on a stealth interface Thomas Uczekaj (Mar 26)
- Re: how to use expressions on a stealth interface Erek Adams (Mar 26)