[netsa-tools-discuss] rwidsquery Question on Operation
فهد الاسمري
glaxi80925 at gmail.com
Wed Sep 24 14:26:36 EDT 2014
بتاريخ 2014 9 24 20:58، جاء من "Scott Fringer" <scfringe at cisco.com>:
> Hello;
>
> I'm looking into working with rwidsquery to assist in pulling
> supporting flow data for firing events. I've run with a -in-type of
> rule, but the resulting rwfilter output doesn't seem to be substituting
> the $HOME_NET and $EXTERNAL_NET as I would have expected:
>
> user$ rwidsquery --intype rule --start 2014/09/23 --end 2014/09/24
> --config /home/user/snort.conf --verbose --dry-run rule.txt
>
> rwfilter --start-date=2014/09/23 --end-date=2014/09/24
> --stime=2014/09/23-2014/09/24 --saddress=$EXTERNAL_NET
> --daddress=$HOME_NET --icmp-code=2 --icmp-type=12 --pass=stdout
>
> This is basically using the rule example given on the rwidsquery webpage.
>
> Within the snort.conf HOME_NET is defined as is EXTERNAL_NET.
>
> I only have a snort.conf present (snort is not installed on this
> host). Is it necessary to have the entire ../snort/etc configuration
> structure present?
>
> Thanks,
> Scott
>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list