When using the following command:
nl /etc/snort/snort.conf | grep output
I get the following output:
33 # 6) Configure output plugins
445 # Step #6: Configure output plugins
450 # output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types
So, I can see that Step #6: Configure output plugins is on line 445.
I want to output line 445 plus the previous five lines (440-444 + 445), so I use:
tail -n+440 /etc/snort/snort.conf | head -n 6
However, this gives me completely different results. So, I cat the entire file with line numbers, investigate and indeed see that the line # Step #6: Configure output plugins is on line 445...
After much trial and error with the tail command, I finally get my intended results, however the line that I originally thought was on 445 is actually on 529. I can verify this by altering the previous command numbers to:
tail -n+524 /etc/snort/snort.conf | head -n 6
I then get the originally expected results, showing five lines of the config files, with # Step #6: Configure output plugins as the last line of the output.
Why is there a discrepancy between the perceived line numbers (445 vs 529)?
Take a look at the raw output of nl. It doesn't number blank lines.
$ nl /etc/snort/snort.conf
...
32 ###################################################
33 # Step #1: Set the network variables. For more information, see README.variables
34 ###################################################
35 # Setup the network addresses you are protecting
36 ipvar HOME_NET any
37 # Set up the external network addresses. Leave as "any" in most situations
38 ipvar EXTERNAL_NET any
39 # List of DNS servers on your network
40 ipvar DNS_SERVERS $HOME_NET
41 # List of SMTP servers on your network
42 ipvar SMTP_SERVERS $HOME_NET
43 # List of web servers on your network
44 ipvar HTTP_SERVERS $HOME_NET
...
Use -ba to number all lines. The default is -bt: number only nonempty lines.
nl -ba /etc/snort/snort.conf | grep output