Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Showing dump of only matched paquets.

From: Gustavo Guillermo Perez <gustavo () compunauta com>
Date: Tue, 22 Mar 2011 17:21:34 -0600
El Martes 22 Marzo 2011, ab1197590 () gmail com escribió:

Does it work as you would have hoped if you specify an expression?

No :S the expression is:
log tcp any any -> any any (pcre:"/^(GET|POST)/"; msg:"::::"; sid:2000123; 
rev:1;)
and snort dumps in the log just only packets matched but on screen all 
packets.
snort -dve -c myrule.txt -i br0

Yes all matched packets are in /var/log/snort.log.xxxxxx but on screen all 
packets are dumped, is there any way to dump on screen only matched packets?.

Best regards in advance.


From the man page:

 expression
              selects  which  packets  will  be  dumped.   If no expression
is given, all packets on the net will be dumped.   Otherwise,  only
packets for which expression is `true' will be dumped.


On Sat, Mar 19, 2011 at 7:27 PM, Gustavo Guillermo Perez

<gustavo () compunauta com> wrote:

Hello dear list, I'm trying to setup snort to make a little sniffer, and
I need something like -dv but only with the rules matched not wit all
the paquets.

The rules works so fine and logs into the log file excellent and I can
read the log with -dv -r /var/log/snort/snort.logxxxx wit only matched
packets but not in realtime, there is any way to do this in realtime?,
it means to show the HEX output with all info but only with mached
packets?

Best regards in advance.
--
Gustavo Guillermo Perez
http://www.compunauta.com
http://www.compunauta.net
http://anuncios.compunauta.net

-------------------------------------------------------------------------
----- Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


---------------------------------------------------------------------------
--- Enable your software for Intel(R) Active Management Technology to meet
the growing manageability and security demands of your customers.
Businesses are taking advantage of Intel(R) vPro (TM) technology - will
your software be a part of the solution? Download the Intel(R)
Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Gustavo Guillermo Perez
http://www.compunauta.com
http://www.compunauta.net
http://anuncios.compunauta.net

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: