Snort mailing list archives
Re: Snort Instance
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Oct 2013 12:58:41 -0600
On 2013-10-30 12:38, Nicholas Horton wrote:
Is is possible to start a second command line instance of snort and log sniffer results to easily show unique sources? More specially I want to capture in sniffer mode and be able to view the data easily and quickly by source IP. For example I want to know any source that is coming in via FTP to a few servers. So I have: "Snort -dev -i eth1 ip host 10.10.10.2 or ip host 10.10.10.3 or ip host 10.10.10.4 and port 21 ./log" This works but trying to view the unique sources is a bit overwhelming and tedious because of all the log entries. Is there a way to only capture unique sources or just limit the entires to one alert or pull from this pcap unique sources in this sniffer command line mode? I want to easily show these sources are FTP'ing to your servers. I right now I'm manually scrolling and trying to make a list from the pcap. My service snort has threshold.conf etc which is still running but I want to do a second instance for just a on the fly sniffer capture process that I start and and stop all while leaving my service snort untouched. Thanks! Nick
Are you wanting to see the actual packet data, or just something like a connection log? James ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Instance Nicholas Horton (Oct 30)
- Re: Snort Instance James Lay (Oct 30)
- Re: Snort Instance Nicholas Horton (Oct 30)
- Re: Snort Instance James Lay (Oct 30)
- Re: Snort Instance Nicholas Horton (Oct 30)
- Re: Snort Instance Nicholas Horton (Oct 30)
- Re: Snort Instance James Lay (Oct 30)