Re: rules difficulty

[Jeremiah Cruit-Salzberg - HQ <J () casey org>]

Or better yet just use snort in it's packet logger mode and do something
like:

snort -b -l /var/wherever

You can even add BPF style filters just like in tcpdump and do something
like:

snort -b -l /var/wherever 'net 192.117.88.0/20'

Which will grab anything to or from that network.  You can also grab a whole
BPF file with the -F if you want to make a really complicated filter -
perfect for replacing Shadow.

--j

J Cruit <j () casey org>
'Abusus non tolit usum'

> Greg Sarsons <gsarsons () home com> writes:
>
> I'm having trouble getting my rule to do what I want.  It is simple all
> I want is to log everything from this range ie see what traffic is
> coming and going from the network.
>
> the range is x.117.88.0 to x.117.95.255
>
> I guess my confusion is over getting the correct HOME_NET and
> EXTERNAL_NET variables.
>
> Try
>
> var $HOME_NET 192.117.88.0/20
> var $EXTERNAL_NET !$HOME_NET
>
>
> If your goal is to do all traffic, I'd just use something like tcpdump
> and then use snort to investigate afterwards.
> -- 
> Chris Green <cmg () uab edu>
> Fame may be fleeting but obscurity is forever.