Snort mailing list archives

Re: IDS

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 10 Jul 2017 15:37:44 +0000

“Best” would depend on what you are trying to do.

If you are “tweaking/tuning/learning/testing” etc .. rules then a pcap definitely works better than trying to use live 
traffic.

Even with live traffic you may want to log things in binary format that alert.

Then come back and analyze them later.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Justin Pederson via Snort-users <Snort-users () lists snort org<mailto:Snort-users () lists snort org>>
Reply-To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>>
Date: Monday, July 10, 2017 at 11:15 AM
To: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <Snort-users () lists snort 
org<mailto:Snort-users () lists snort org>>
Subject: [Snort-users] IDS

What is the best way to set snort up?  Either have it just look at the live packets as they come in or to form a pcap 
then to look into the pcap?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

IDS Justin Pederson via Snort-users (Jul 10)
- Re: IDS Al Lewis (allewi) via Snort-users (Jul 10)
  - Re: IDS Justin Pederson via Snort-users (Jul 10)
    - Re: IDS Al Lewis (allewi) via Snort-users (Jul 10)
    - Re: IDS Syed Tariq Mustafa (Jul 10)
- Re: IDS Jason Hellenthal (Jul 10)
  - Re: IDS Justin Pederson via Snort-users (Jul 10)
    - Re: IDS Jason Hellenthal (Jul 10)
    - Re: IDS Justin Pederson via Snort-users (Jul 10)