PCAP READING MODE

SINGLE PCAP FILE

root@dco:~$ sudo snort -c /etc/snort/snort.conf -q -r icmp-test.pcap -A console -n 10

 * the -q option suppresses non-critical output, such as the banner and other informational messages, when Snort starts.
    - this is useful for running Snort in environments where you want less clutter in the output, focusing only on alerts or the main analysis results

MULTIPLE PCAP FILES

root@dco:~$ sudo snort -c /etc/snort/snort.conf -q --pcap-list="icmp-test.pcap http2.pcap" -A console --pcap-show

 * the --pcap-show option is used to match the alerts their corresponding pcaps
    - w/o this option, the output of the --pcap-list option won't separate the source of the alerts

PreviousIDS/IPS MODE NextRULE WRITING

Last updated 6 months ago