./snort -vde(include the data link layer headers)

Packet Logger Mode — log TCP/IP packet headers to disk

Use the previous snort commands along with the -lswitch and a log directory name to automatically go into packet logger mode.

./snort -vd -l ./log

You must have an existing directory by that name to prevent Snort from exiting with an error. You should also specify the local host address, using the -h ipaddress switch.

Other switches in packet logger mode include the following:

-b(log the packets in binary mode)

-r(followed by name of binary log will run the log through Snort in sniffer mode)

There are several ways in which you may configure the Snort output. See the Snort Users Manual for details.

Use the Internet Express Administration utility to perform the following actions with Snort:

Configure the Snort Decoder (see Section : Configuring Snort Decoder)

Configure the Snort Preprocessor (Section : Configuring Snort Preprocessor)

Run Snort (see Section : Running Snort)

View alert messages (Section : Viewing Alert Messages)

Configuring Snort Decoder

Follow these steps to configure the Snort decoder.

1.From the Manage Components menu, choose Snort.

2.From the Configure Snort menu, choose Configure Snort Decoder. The Configure Menu is displayed.

3.Click in a checkbox to select the desired decoder option:

Option

Description

Disable Decode Alert

Turns of the alerts generated by the decode phase of

 

Snort.

Disable Alerts on Invalid IP options

Disables IP option validation alerts.

Disable Alerts on obsolete TCP options

Turns off alerts generated by obsolete TCP options.

 

 

4.Click on Submit.

Configuring Snort Preprocessor

Follow these steps to configure the Snort preprocessor:

1.From the Manage Components menu, choose Snort.

2.From the Configure Snort menu, choose Configure Snort Preprocessor. The Configure Menu is displayed.

Snort Intrusion Detection System 185