Snort mailing list archives
RE: Snort with DHCP
From: "Sadanapalli, Pradeep Kumar (MED, TCS)" <Pradeep.Sadanapalli () med ge com>
Date: Fri, 2 May 2003 17:33:03 -0500
Oh I don't want to see the logs in tcpdump format. Now with the configuration I am running, snort is generation two files in /var/log/snort. 1) Alert, which lists the traffic info in an understandable way. 2) snort.log , which has to be decoded to read. I want all the stuff to go into alert file and not in tcpdump format. What should I do for that? Will it be enough if I remove the -b option and keep only -d? -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Friday, May 02, 2003 5:22 PM To: Sadanapalli, Pradeep Kumar (MED, TCS) Cc: Erek Adams; 'David Alonso De La Vega Tapage'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort with DHCP On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:
Thanks Erek for your nice explaination. So just to confirm ,if I add
the
below lines "var HOME_NET $eth0_ADDRESS" in snort.conf, along with other configuration lines and "/usr/local/bin/snort -i eth0 -l /var/log/snort/ -d -b -c /etc/snort/snort.cond -D -p " will meet my requirements that "running snort to watch the network traffic destined only to my
machine
and also taking care of the changing IP address in DHCP scenario" If I am wrong somewhere , please correct me.
Exactly. You can also modify your command line to be a bit 'better'. If you are logging to binary (unified, pcap, or -b) then -d is a waste of time. No need since the packets are dumped as a whole. You can also drop the -p since it doesn't matter. Only use the -p if you need to. Since you are a single node on a DHCP net, then promisc mode does not matter. You'll still see broadcasts and ARP requests... Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- Re: Snort with DHCP Erek Adams (May 02)
- Re: Snort with DHCP David Alonso De La Vega Tapage (May 02)
- <Possible follow-ups>
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 02)
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 02)
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 03)
- Re: Snort with DHCP Erek Adams (May 02)