Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to use expressions on a stealth interface

From: Erek Adams <erek () snort org>
Date: Wed, 26 Mar 2003 17:40:48 -0500 (EST)
On Wed, 26 Mar 2003, Thomas Uczekaj wrote:


I have setup an interface in stealth mode (no IP assigned to the
interface, the switch port has been setup to do spanning so I can see
all traffic on the subnet).  When I run snort in sniffer mode (snort -i
intf1 -ve net 10.67.2.0/24), the expression syntax to filter the data
does not work.  It doesn't seem to recognize any of the data as normal
IP.  However, when I run it without any expressions (snort -i intf1
-ve), statistics report back about pct's for TCP/UDP/.....etc).

Similarly, tcpdump cannot use expressions to filter the data.  Does
anyone have an idea of using either of these tools to make this happen?


It works for me with both Snort and tcpdump.  I have the feeling your
troubles are coming from your shell and not from the programs.

Try:

        snort <options> 'net 10.67.2.0/24'

And see what you get.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: