Snort mailing list archives

Re: IDS

From: Justin Pederson via Snort-users <snort-users () lists snort org>
Date: Mon, 10 Jul 2017 10:43:04 -0500

I just grabbed a file from packettotal.  Is there any way to run it against
my current rules set to see if it triggers anything?

On Mon, Jul 10, 2017 at 10:37 AM, Al Lewis (allewi) <allewi () cisco com>
wrote:

“Best” would depend on what you are trying to do.

If you are “tweaking/tuning/learning/testing” etc .. rules then a pcap
definitely works better than trying to use live traffic.

Even with live traffic you may want to log things in binary format that
alert.

Then come back and analyze them later.

*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Snort-users <snort-users-bounces () lists snort org> on behalf of
Justin Pederson via Snort-users <Snort-users () lists snort org>
Reply-To: Justin Pederson <jpedersm () gmail com>
Date: Monday, July 10, 2017 at 11:15 AM
To: "Snort-users () lists snort org" <Snort-users () lists snort org>
Subject: [Snort-users] IDS

What is the best way to set snort up?  Either have it just look at the
live packets as they come in or to form a pcap then to look into the pcap?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

IDS Justin Pederson via Snort-users (Jul 10)
- Re: IDS Al Lewis (allewi) via Snort-users (Jul 10)
  - Re: IDS Justin Pederson via Snort-users (Jul 10)
    - Re: IDS Al Lewis (allewi) via Snort-users (Jul 10)
    - Re: IDS Syed Tariq Mustafa (Jul 10)
- Re: IDS Jason Hellenthal (Jul 10)
  - Re: IDS Justin Pederson via Snort-users (Jul 10)
    - Re: IDS Jason Hellenthal (Jul 10)
    - Re: IDS Justin Pederson via Snort-users (Jul 10)