Snort - the de facto standard for intrusion detection/prevention
the de facto standard for IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: 1.7 More Information Up: 1. Snort Overview Previous: 1.5 Inline Mode   Contents

Subsections

1.6 Miscellaneous

1.6.1 Running in Daemon Mode

If you want to run Snort in daemon mode, you can the add -D switch to any combination described in the previous sections. Please notice that if you want to be able to restart Snort by sending a SIGHUP signal to the daemon, you must specify the full path to the Snort binary when you start it, for example: 

/usr/local/bin/snort -d -h 192.168.1.0/24 \
    -l /var/log/snortlogs -c /usr/local/etc/snort.conf -s -D

Relative paths are not supported due to security concerns.

1.6.1.1 Snort PID File

When Snort is run in daemon mode, the daemon creates a PID file in the log directory. In Snort 2.6, the -pid-path command line switch causes Snort to write the PID file in the directory specified.

Additionally, the -create-pidfile switch can be used to force creation of a PID file even when not running in daemon mode.

1.6.2 Obfuscating IP Address Printouts

If you need to post packet logs to public mailing lists, you might want to use the -O switch. This switch obfuscates your IP addresses in packet printouts. This is handy if you don't want people on the mailing list to know the IP addresses involved. You can also combine the -O switch with the -h switch to only obfuscate the IP addresses of hosts on the home network. This is useful if you don't care who sees the address of the attacking host. For example, you could use the following command to read the packets from a log file and dump them to the screen, obfuscating only the addresses from the 192.168.1.0/24 class C network: 

./snort -d -v -r snort.log -O -h 192.168.1.0/24

1.6.3 Specifying Multiple-Instance Identifiers

In Snort v2.4, the -G command line option was added that specifies an instance identifier for the event logs. This option can be used when running multiple instances of snort, either on different CPUs, or on the same CPU but a different interface. Each Snort instance will use the value specified to generate unique event IDs. Users can specify either a decimal value (-G 1) or hex value preceded by 0x (-G 0x11). This is also supported via a long option -logid.

next up previous contents
Next: 1.7 More Information Up: 1. Snort Overview Previous: 1.5 Inline Mode   Contents
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.