Snort mailing list archives
Re: Snort Instance
From: Nicholas Horton <fivetenets () me com>
Date: Wed, 30 Oct 2013 15:05:31 -0400
Just connection log at this point although I'm sure later they will ask for more data. What I just thought of is I guess I can move the pcap to another system and use wire shark and sort there. Just curious still if I can get the connection logs without doing the copy and wire shark and sorting. Nick
On Oct 30, 2013, at 2:58 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2013-10-30 12:38, Nicholas Horton wrote: Is is possible to start a second command line instance of snort and log sniffer results to easily show unique sources? More specially I want to capture in sniffer mode and be able to view the data easily and quickly by source IP. For example I want to know any source that is coming in via FTP to a few servers. So I have: "Snort -dev -i eth1 ip host 10.10.10.2 or ip host 10.10.10.3 or ip host 10.10.10.4 and port 21 ./log" This works but trying to view the unique sources is a bit overwhelming and tedious because of all the log entries. Is there a way to only capture unique sources or just limit the entires to one alert or pull from this pcap unique sources in this sniffer command line mode? I want to easily show these sources are FTP'ing to your servers. I right now I'm manually scrolling and trying to make a list from the pcap. My service snort has threshold.conf etc which is still running but I want to do a second instance for just a on the fly sniffer capture process that I start and and stop all while leaving my service snort untouched. Thanks! NickAre you wanting to see the actual packet data, or just something like a connection log? James ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Instance Nicholas Horton (Oct 30)
- Re: Snort Instance James Lay (Oct 30)
- Re: Snort Instance Nicholas Horton (Oct 30)
- Re: Snort Instance James Lay (Oct 30)
- Re: Snort Instance Nicholas Horton (Oct 30)
- Re: Snort Instance Nicholas Horton (Oct 30)
- Re: Snort Instance James Lay (Oct 30)