25
Viewing Files with more and less
Although
cat
is a good utility for displaying files and creating small files, it
certainly has its limitations when displaying large files. When you use
cat
with snort.conf, the file scrolls through every page until it comes to the end,
which is not very practical if you want to glean any information from it.
For working with larger files, we have two other viewing utilities:
more
and
less
.
Controlling the Display with more
The
more
command displays a page of a file at a time and lets you page down
through it using the
enter
key. Open snort.conf with the
more
command, as
shown in Listing 2-7.
kali >more /etc/snort/snort.conf
--snip--
# Snort build options:
# Options: --enable-gre --enable-mpls --enable-targetbased
--enable-ppm --enable-perfprofiling enable-zlib --enable-active
-response --enable-normalizer --enable-reload --enable-react
--enable-flexresp3
#
--More--(2%)
Listing 2-7: Using more to display terminal output one page at a time
Notice that
more
displays only the first page and then stops, and it tells us
in the lower-left corner how much of the file is shown (2 percent in this case).
To see additional lines or pages, press
enter
. To exit
more
, enter
q
(for quit).
Displaying and Filtering with less
The
less
command is very similar to
more
, but with additional functionality
—hence, the common Linux aficionado quip, “Less is more.” With
less
, you
can not only scroll through a file at your leisure, but you can also filter it for
terms. As in Listing 2-8, open snort.conf with
less
.
kali >less /etc/snort/snort.conf
--snip--
# Snort build options:
# Options: --enable-gre --enable-mpls --enable-targetbased
--enable-ppm --enable-perfprofiling enable-zlib --enable-active
-response --enable-normalizer --enable-reload --enable-react
/etc/snort/snort.conf
Listing 2-8: Using less to both display terminal output a page at a time and filter results
26
Chapter 2
Notice in the bottom left of the screen that
less
has highlighted the
path to the file. If you press the forward slash (
/
) key,
less
will let you
search for terms in the file. For instance, when you first set up Snort, you
need to determine how and where you want to send your intrusion alert
output. To find that section of the configuration file, you could simply
search for output, like so:
# Snort build options:
# Options: --enable-gre --enable-mpls --enable-targetbased
--enable-ppm --enable-perfprofiling enable-zlib --enable-active
-response --enable-normalizer --enable-reload --enable-react
/output
This will immediately take you to the first occurrence of output and
highlight it. You can then look for the next occurrence of output by typing
n
(for next).
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
#####################################################################
#unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types,
vlan_event_types
output unified2: filename snort.log, limit 128, nostamp, mpls_event_types,
vlan_event_types
# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp
# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT
:
As you can see,
less
took you to the next occurrence of the word output
and highlighted all the search terms. In this case, it went directly to the out-
put section of Snort. How convenient!
Summary
Linux has numerous ways of manipulating text, and each way comes with
its own strengths and weaknesses. We’ve touched on a few of the most use-
ful methods in this chapter, but I suggest you try each one out and develop
your own feel and preferences. For example, I think
grep
is indispensable,
and I use
less
widely, but you might feel different.
|
