Snort mailing list archives

RE: Need a help

From: "Charles Heselton" <charles.heselton () gmail com>
Date: Sun, 10 Jul 2005 00:40:18 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ks,
Mithun (GE Commercial Finance, non-GE)
Sent: Thursday, July 07, 2005 7:26 AM
To: Snort-users () lists sourceforge net
Cc: Salil D.
Subject: RE: [Snort-users] Need a help



        Hi,
        Is this file in snort .conf to mention the snort is configured in
detection mode.
         
        # Command Line Options
        ## --------------------
        #
        config disable_decode_alerts
        config disable_decode_alerts
        config disable_tcpopt_experimental_alerts
        config disable_tcpopt_obsolete_alerts
        config disable_tcpopt_alerts
        config disable_ipopt_alerts
        config detection: search-method lowmem
        #
         
        Regards...
        Mithun.k.s
        
        

                -----Original Message-----
                From: Salil D. [mailto:salildumbre () rediffmail com]
                Sent: Thursday, July 07, 2005 5:15 PM
                To: Ks, Mithun (GE Commercial Finance, non-GE)
                Subject: Re: [Snort-users] Need a help
                
                

                
                I had installed snort long time back
                you need to check the snort.conf file for configuration
details
                
                
                On Thu, 07 Jul 2005 Ks,Mithun(GE Commercial Finance,non-GE)
wrote :
                >Hello,
                >
                >I cconfigured snort in linux platform. Can anyone tell me
where
should i want to go if i want snort to be configured in logging mode
or in detecting mode? In which file i have to change this.
                >
                >Please help me in this.
                >
                >Regards....
                >Mithun.k.s
                >
                >
                  

                I think what you are asking is different facets of the same
stone. 
Snort is in "detecting" mode if it is being used as a "glorified"
packet sniffer.  I say "glorified" because it can be configured to
use the signatures and pre-processors, even without logging to a
logging mechanism (like syslog or mysql).  If snort is configured to
output to a logging mechanism (like syslog or mysql), then it's
considered to be in "logging" mode.  Snort can also be used as a
basic packet sniffer, which doesn't put any intelligence to the
packets captures (similar to tcpdump).  But I get the impression
that's not what you're looking for.  In it's default configuration, I
believe (someone correct me if I'm wrong) that snort is configured to
write alerts to it's own log file which should be contained in
"/var/log/snort"


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQtDQ4nv40fZIKe3PEQJ/iQCgkfpEzPS1/cMjxldor6sww7sZZZ4AoIOR
Y06aWo9NEvzclqeEcLTjrN+h
=vEyv
-----END PGP SIGNATURE-----

Attachment: PGPexch.htm.pgp
Description:

Current thread:

Need a help Ks, Mithun (GE Commercial Finance, non-GE) (Jul 07)
- <Possible follow-ups>
- RE: Need a help Ks, Mithun (GE Commercial Finance, non-GE) (Jul 07)
  - RE: Need a help Charles Heselton (Jul 10)