Snort mailing list archives
Re: New member, 3 quick questions
From: Paul Melson <pmelson () gmail com>
Date: Sun, 5 Jul 2009 21:10:27 -0400
On Sun, Jul 5, 2009 at 7:30 PM, r s<wera711 () gmail com> wrote:
1. what is the most common way to run snort? I have been running it as such: ./snort -de -h 192.168.3.0/24 -c /usr/ports/security/snort/work/snort-2.8.2.2/etc/snort.conf I normally keep a separate session open with a tail -f /var/log/snort/alert Is there a better way to do this? I have heard you can run snort as a daemon so that it runs in the background. If I do it this way, will it still continue to run if I close the session? Do I simply append a "-D" at the end of my command line to run it in the background?
Yes, appending -D will run Snort in daemon mode and log stdout to syslog. I prefer to run it from an init.d script so that it automatically starts at boot time and can be properly shut down by the operating system. The one I use is based on Dave Dittrich's from hist batch of Snort scripts: http://staff.washington.edu/dittrich/misc/snort-stuff.tar Running on BSD, your mileage may vary. If I recall correctly, OpenBSD, for example, locks you into launching stuff from rc.local.
2. What do dynamic modules do? Just a quick definition is what I'm looking for.
The preprocessors do the same thing as the other preprocessors, but they're not built into the Snort binary, so you get a smaller memory footprint if you don't need them. They also give you a method to write your own preprocessor without having to fork the Snort code base to do it.
3. Preprocessors: Are they used to expand upon snort and do in depth inspection that the regular rules cannot do? They are used alongside the regular rules?
Read: http://www.informit.com/articles/article.aspx?p=101148&seqNum=2 The examples are from an older version of Snort with older preprocessors, but the design is still the same. PaulM ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New member, 3 quick questions r s (Jul 05)
- Re: New member, 3 quick questions Paul Melson (Jul 05)
- Re: New member, 3 quick questions Joel Esler (Jul 06)
- Re: New member, 3 quick questions Paul Melson (Jul 05)