Snort - open source network intrusion detection system
snort [-bCdDeEfHIMNOpqQsTUvVwWxXy?] [-A alert-mode
] [-B address-conversion-mask ] [-c rules-file
] [-F bpf-file ] [-g group-name ] [-G
id ] [-h home-net ] [-i interface ]
[-k checksum-mode ] [-K logging-mode ] [-l
log-dir ] [-L bin-log-file ] [-m umask
] [-n packet-count ] [-P snap-length ]
[-r tcpdump-file ] [-R name ] [-S
variable=value ] [-t chroot_directory ] [-u
user-name ] [-Z pathname ] [--logid id
] [--perfmon-file pathname ] [--pid-path
pathname ] [--snaplen snap-length ] [--help ]
[--version ] [--dynamic-engine-lib file ]
[--dynamic-engine-lib-dir directory ]
[--dynamic-detection-lib file ]
[--dynamic-detection-lib-dir directory ]
[--dump-dynamic-rules directory ]
[--dynamic-preprocessor-lib file ]
[--dynamic-preprocessor-lib-dir directory ]
[--dynamic-output-lib file ] [--dynamic-output-lib-dir
directory ] [--alert-before-pass ]
[--treat-drop-as-alert ] [--treat-drop-as-ignore ]
[--process-all-events ] [--enable-inline-test ]
[--create-pidfile ] [--nolock-pidfile ]
[--no-interface-pidfile ] [--disable-attribute-reload-thread ]
[--pcap-single= tcpdump-file ] [--pcap-filter=
filter ] [--pcap-list= list ] [--pcap-dir=
directory ] [--pcap-file= file ]
[--pcap-no-filter ] [--pcap-reset ] [--pcap-reload ]
[--pcap-show ] [--exit-check count ]
[--conf-error-out ] [--enable-mpls-multicast ]
[--enable-mpls-overlapping-ip ] [--max-mpls-labelchain-len ]
[--mpls-payload-type ] [--require-rule-sid ] [--daq
type ] [--daq-mode mode ] [--daq-var
name=value ] [--daq-dir dir ] [--daq-list
[dir] ] [--dirty-pig ] [--cs-dir dir ]
[--ha-peer ] [--ha-out file ] [--ha-in file
] expression
Snort is an open source network intrusion detection system,
capable of performing real-time traffic analysis and packet logging on IP
networks. It can perform protocol analysis, content searching/matching and
can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting
attempts, and much more. Snort uses a flexible rules language to describe
traffic that it should collect or pass, as well as a detection engine that
utilizes a modular plugin architecture. Snort also has a modular real-time
alerting capability, incorporating alerting and logging plugins for syslog,
a ASCII text files, UNIX sockets or XML.
Snort has three primary uses. It can be used as a straight packet
sniffer like tcpdump(1), a packet logger (useful for network traffic
debugging, etc), or as a full blown network intrusion detection system.
Snort logs packets in tcpdump(1) binary format or in
Snort's decoded ASCII format to a hierarchy of logging directories that are
named based on the IP address of the "foreign" host.
- -A alert-mode
- Alert using the specified alert-mode. Valid alert modes include
fast, full, none, and unsock. Fast writes alerts to
the default "alert" file in a single-line, syslog style alert
message. Full writes the alert to the "alert" file with
the full decoded header as well as the alert message. None turns
off alerting. Unsock is an experimental mode that sends the alert
information out over a UNIX socket to another process that attaches to
that socket.
- -b
- Log packets in a tcpdump(1) formatted file. All packets are logged
in their native binary state to a tcpdump formatted log file named with
the snort start timestamp and "snort.log". This option results
in much faster operation of the program
since it doesn't have to spend time in the packet binary->text
converters. Snort can keep up pretty well with 100Mbps networks in '-b'
mode. To choose an alternate name for the binary log file, use the '-L'
switch.
- -B address-conversion-mask
- Convert all IP addresses in home-net to addresses specified by
address-conversion-mask. Used to obfuscate IP addresses within
binary logs. Specify home-net with the '-h' switch. Note this is
not the same as $HOME_NET.
- -c config-file
- Use the rules located in file config-file.
- -C
- Print the character data from the packet payload only (no hex).
- -d
- Dump the application layer data when displaying packets in verbose or
packet logging mode.
- -D
- Run Snort in daemon mode. Alerts are sent to /var/log/snort/alert unless
otherwise specified.
- -e
- Display/log the link layer packet headers.
- -E
- *WIN32 ONLY* Log alerts to the Windows Event Log.
- -f
- Activate PCAP line buffering
- -F bpf-file
- Read BPF filters from bpf-file. This is handy for people running
Snort as a SHADOW replacement or with a love Of super complex BPF filters.
See the "expressions" section of this man page for more info on
writing BPF filters.
- -g group
- Change the group/GID Snort runs under to group after
initialization. This switch allows Snort to drop root privileges after
it's initialization phase has completed as a security measure.
- -G id
- Use id as a base event ID when logging events.
- -h home-net
- Set the "home network" to home-net. The format of this
address variable is a network prefix plus a CIDR block, such as
192.168.1.0/24. Once this variable is set, all decoded packet logging will
be done relative to the home network address space. This is useful because
of the way that Snort formats its ASCII log data. With this value set to
the local network, all decoded output will be logged into decode
directories with the address of the foreign computer as the directory
name, which is very useful during traffic analysis. This option does not
change "$HOME_NET" in IDS mode.
- -H
- Force hash tables to be deterministic instead of using a random number
generator for the seed & scale. Useful for testing and generating
repeatable results with the same traffic.
- -i interface
- Sniff packets on interface.
- -I
- Print out the receiving interface name in alerts.
- -k checksum-mode
- Tune the internal checksum verification functionality with
alert-mode. Valid checksum modes include all, noip, notcp,
noudp, noicmp, and none. All activates checksum
verification for all supported protocols. Noip turns off IP
checksum verification, which is handy if the gateway router is already
dropping packets that fail their IP checksum checks. Notcp turns
off TCP checksum verification, all other checksum modes are on.
noudp turns off UDP checksum verification. Noicmp turns off
ICMP checksum verification. None turns off the entire checksum
verification subsystem.
- -K logging-mode
- Select a packet logging mode. The default is pcap. logging-mode.
Valid logging modes include pcap, ascii, and none.
Pcap logs packets through the pcap library into pcap (tcpdump)
format. Ascii logs packets in the old "directories and
files" format with packet printouts in each file. None Turns
off packet logging.
- -l log-dir
- Set the output logging directory to log-dir. All plain text alerts
and packet logs go into this directory. If this option is not specified,
the default logging directory is set to /var/log/snort.
- -L binary-log-file
- Set the filename of the binary log file to binary-log-file. If this
switch is not used, the default name is a timestamp for the time that the
file is created plus "snort.log".
- -m umask
- Set the file mode creation mask to umask
- -M
- Log console messages to syslog when not running daemon mode. Using both -D
and -M will send all messages to syslog including e.g. SIGUSR1 dump packet
stats. This switch has no impact on logging of alerts.
- -n packet-count
- Process packet-count packets and exit.
- -N
- Turn off packet logging. The program still generates alerts normally.
- -O
- Obfuscate the IP addresses when in ASCII packet dump mode. This switch
changes the IP addresses that get printed to the screen/log file to
"xxx.xxx.xxx.xxx". If the homenet address switch is set (-h),
only addresses on the homenet will be obfuscated while non- homenet IPs
will be left visible. Perfect for posting to your favorite security
mailing list!
- -p
- Turn off promiscuous mode sniffing.
- -P snap-length
- Set the packet snaplen to snap-length. By default, this is set to
1514.
- -q
- Quiet operation. Don't display banner and initialization information. In
daemon mode, banner and initialization information is not logged to
syslog.
- -Q
- Enable inline mode operation.
- -r tcpdump-file
- Read the tcpdump-formatted file tcpdump-file. This will cause Snort
to read and process the file fed to it. This is useful if, for instance,
you've got a bunch of SHADOW files that you want to process for content,
or even if you've got a bunch of reassembled packet fragments which have
been written into a tcpdump formatted file.
- -R name
- Use name as a suffix to the snort pidfile.
- -s
- Send alert messages to syslog. On linux boxen, they will appear in
/var/log/secure, /var/log/messages on many other platforms.
- -S variable=value
- Set variable name "variable" to value "value". This is
useful for setting the value of a defined variable name in a Snort rules
file to a command line specified value. For instance, if you define a
HOME_NET variable name inside of a Snort rules file, you can set this
value from it's predefined value at the command line.
- -t chroot
- Changes Snort's root directory to chroot after initialization.
Please note that all log/alert filenames are relative to the chroot
directory if chroot is used.
- -T
- Snort will start up in self-test mode, checking all the supplied command
line switches and rules files that are handed to it and indicating that
everything is ready to proceed. This is a good switch to use if daemon
mode is going to be used, it verifies that the Snort configuration that is
about to be used is valid and won't fail at run time. Note, Snort looks
for either /etc/snort.conf or ./snort.conf. If your config lives
elsewhere, use the -c option to specify a valid config-file.
- -u user
- Change the user/UID Snort runs under to user after
initialization.
- -U
- Changes the timestamp in all logs to be in UTC
- -v
- Be verbose. Prints packets out to the console. There is one big problem
with verbose mode: it's slow. If you are doing IDS work with Snort,
don't use the '-v' switch, you WILL drop packets.
- -V
- Show the version number and exit.
- -w
- Show management frames if running on an 802.11 (wireless) network.
- -W
- *WIN32 ONLY* Enumerate the network interfaces available.
- -x
- Exit if Snort configuration problems occur such as duplicate gid/sid or
flowbits without Stream5.
- -X
- Dump the raw packet data starting at the link layer. This switch overrides
the '-d' switch.
- -y
- Include the year in alert and log files
- -Z pathname
- Set the perfmonitor preprocessor path/filename to pathname.
- -?
- Show the program usage statement and exit.
- --logid id
- Same as -G.
- --perfmon-file
pathname
- Same as -Z.
- --pid-path
directory
- Specify the directory for the Snort PID file.
- --snaplen
snap-length
- Same as -P.
- --help
- Same as -?
- --version
- Same as -V
- --dynamic-engine-lib
file
- Load a dynamic detection engine shared library specified by file.
- --dynamic-engine-lib-dir
directory
- Load all dynamic detection engine shared libraries specified from
directory.
- --dynamic-detection-lib
file
- Load a dynamic detection rules shared library specified by file.
- --dynamic-detection-lib-dir
directory
- Load all dynamic detection rules shared libraries specified from
directory.
- --dump-dynamic-rules
directory
- Create stub rule files from all loaded dynamic detection rules libraries.
Files will be created in directory. This is required to be done prior to
running snort using those detection rules and the generated rules files
must be included in snort.conf.
- --dynamic-preprocessor-lib
file
- Load a dynamic preprocessor shared library specified by file.
- --dynamic-preprocessor-lib-dir
directory
- Load all dynamic preprocessor shared libraries specified from
directory.
- --alert-before-pass
- Process alert, drop, sdrop, or reject before pass. Default is pass before
alert, drop, etc.
- --treat-drop-as-alert
- Converts drop, sdrop, and reject rules into alert rules during
startup.
- --treat-drop-as-ignore
- Use drop, sdrop, and reject rules to ignore session traffic when not
inline.
- --process-all-events
- Process all triggered events in group order, per Rule Ordering
configuration. Default stops after first group.
- --enable-inline-test
- Enable Inline-Test Mode Operation.
- --pid-path
directory
- Specify the path for Snort's PID file.
- --create-pidfile
- Create PID file, even when not in Daemon mode.
- --nolock-pidfile
- Do not try to lock Snort PID file.
- --no-interface-pidfile
- Do not include the interface name in Snort PID file
- --pcap-single=tcpdump-file
- Same as -r. Added for completeness.
- --pcap-filter=filter
- Shell style filter to apply when getting pcaps from file or directory.
This filter will apply to any --pcap-file or --pcap-dir arguments
following. Use --pcap-no-filter to delete filter for following --pcap-file
or --pcap-dir arguments or specify --pcap-filter again to forget previous
filter and to apply to following --pcap-file or --pcap-dir arguments.
- --pcap-list="list"
- A space separated list of pcaps to read.
- --pcap-dir=directory
- A directory to recurse to look for pcaps. Sorted in ascii order.
- --pcap-file=file
- File that contains a list of pcaps to read. Can specify path to pcap or
directory to recurse to get pcaps.
- --pcap-no-filter
- Reset to use no filter when getting pcaps from file or directory.
- --pcap-reset
- If reading multiple pcaps, reset snort to post-configuration state before
reading next pcap. The default, i.e. without this option, is not to reset
state.
- --pcap-show
- Print a line saying what pcap is currently being read.
- --exit-check=count
- Signal termination after <count> callbacks from DAQ_Acquire(),
showing the time it takes from signaling until DAQ_Stop() is called.
- --conf-error-out
- Same as -x.
- --require-rule-sid
- Require an SID for every rule to be correctly threshold all rules.
- --daq <type>
- Select packet acquisition module (default is pcap).
- --daq-mode
<mode>
- Select the DAQ operating mode.
- --daq-var
<name=value>
- Specify extra DAQ configuration variable.
- --daq-dir
<dir>
- Tell Snort where to find desired DAQ.
- --daq-list
[<dir>]
- List packet acquisition modules available in dir.
- --cs-dir
<dir>
- Tell Snort to use control socket and create the socket in dir.
-
expression
selects which packets will be dumped. If no
expression is given, all packets on the net will be dumped. Otherwise,
only packets for which
expression is `true' will be dumped.
The expression consists of one or more primitives.
Primitives usually consist of an id (name or number) preceded by one
or more qualifiers. There are three different kinds of qualifier:
- type
- qualifiers say what kind of thing the id name or number refers to.
Possible types are host, net and port. E.g., `host
foo', `net 128.3', `port 20'. If there is no type qualifier, host
is assumed.
- dir
- qualifiers specify a particular transfer direction to and/or from
id. Possible directions are src, dst, src or
dst and src and dst. E.g., `src foo', `dst net 128.3',
`src or dst port ftp-data'. If there is no dir qualifier, src or
dst is assumed. For `null' link layers (i.e. point to point protocols
such as slip) the inbound and outbound qualifiers can be
used to specify a desired direction.
- proto
- qualifiers restrict the match to a particular protocol. Possible protos
are: ether, fddi, ip, arp, rarp,
decnet, lat, sca, moprc, mopdl,
tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp
port 21'. If there is no proto qualifier, all protocols consistent with
the type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or arp or
rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified network
interface.'' FDDI headers contain Ethernet-like source and destination
addresses, and often contain Ethernet-like packet types, so you can filter
on these FDDI fields just as with the analogous Ethernet fields. FDDI
headers also contain other fields, but you cannot name them explicitly in a
filter expression.]
In addition to the above, there are some special `primitive'
keywords that don't follow the pattern: gateway, broadcast,
less, greater and arithmetic expressions. All of these are
described below.
More complex filter expressions are built up by using the words
and, or and not to combine primitives. E.g., `host foo
and not port ftp and not port ftp-data'. To save typing, identical qualifier
lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is
exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst
port domain'.
Allowable primitives are:
- dst host
host
- True if the IP destination field of the packet is host, which may
be either an address or a name.
- src host
host
- True if the IP source field of the packet is host.
- host
host
- True if either the IP source or destination of the packet is host.
Any of the above host expressions can be prepended with the keywords,
ip, arp, or rarp as in:
ip host host
which is equivalent to:
ether proto \ip and host host
If host is a name with multiple IP addresses, each address will be
checked for a match.
- ether dst
ehost
- True if the ethernet destination address is ehost. Ehost may
be either a name from /etc/ethers or a number (see ethers(3N) for
numeric format).
- ether src
ehost
- True if the ethernet source address is ehost.
- ether host
ehost
- True if either the ethernet source or destination address is
ehost.
- gateway
host
- True if the packet used host as a gateway. I.e., the ethernet
source or destination address was host but neither the IP source
nor the IP destination was host. Host must be a name and
must be found in both /etc/hosts and /etc/ethers. (An equivalent
expression is
ether host ehost and not host host
which can be used with either names or numbers for host /
ehost.)
- dst net
net
- True if the IP destination address of the packet has a network number of
net. Net may be either a name from /etc/networks or a
network number (see networks(4) for details).
- src net
net
- True if the IP source address of the packet has a network number of
net.
- net net
- True if either the IP source or destination address of the packet has a
network number of net.
- net net
mask mask
- True if the IP address matches net with the specific netmask. May
be qualified with src or dst.
- net
net/len
- True if the IP address matches net a netmask len bits wide.
May be qualified with src or dst.
- dst port
port
- True if the packet is ip/tcp or ip/udp and has a destination port value of
port. The port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If a name is used,
both the port number and protocol are checked. If a number or ambiguous
name is used, only the port number is checked (e.g., dst port 513
will print both tcp/login traffic and udp/who traffic, and port
domain will print both tcp/domain and udp/domain traffic).
- src port
port
- True if the packet has a source port value of port.
- port
port
- True if either the source or destination port of the packet is
port. Any of the above port expressions can be prepended with the
keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source port is port.
- less
length
- True if the packet has a length less than or equal to length. This
is equivalent to:
len <= length.
- greater
length
- True if the packet has a length greater than or equal to length.
This is equivalent to:
len >= length.
- ip proto
protocol
- True if the packet is an ip packet (see ip(4P)) of protocol type
protocol. Protocol can be a number or one of the names
icmp, igrp, udp, nd, or tcp. Note that
the identifiers tcp, udp, and icmp are also keywords
and must be escaped via backslash (\), which is \\ in the C-shell.
- ether
broadcast
- True if the packet is an ethernet broadcast packet. The ether
keyword is optional.
- ip broadcast
- True if the packet is an IP broadcast packet. It checks for both the
all-zeroes and all-ones broadcast conventions, and looks up the local
subnet mask.
- ether
multicast
- True if the packet is an ethernet multicast packet. The ether
keyword is optional. This is shorthand for `ether[0] & 1 !=
0'.
- ip multicast
- True if the packet is an IP multicast packet.
- ether proto
protocol
- True if the packet is of ether type protocol. Protocol can
be a number or a name like ip, arp, or rarp. Note
these identifiers are also keywords and must be escaped via backslash (\).
[In the case of FDDI (e.g., `fddi protocol arp'), the protocol
identification comes from the 802.2 Logical Link Control (LLC) header,
which is usually layered on top of the FDDI header. Tcpdump
assumes, when filtering on the protocol identifier, that all FDDI packets
include an LLC header, and that the LLC header is in so-called SNAP
format.]
- decnet src
host
- True if the DECNET source address is host, which may be an address
of the form ``10.123'', or a DECNET host name. [DECNET host name support
is only available on Ultrix systems that are configured to run
DECNET.]
- decnet dst
host
- True if the DECNET destination address is host.
- decnet host
host
- True if either the DECNET source or destination address is
host.
- ip, arp,
rarp, decnet
- Abbreviations for:
ether proto p
where p is one of the above protocols.
- lat, moprc,
mopdl
- Abbreviations for:
ether proto p
where p is one of the above protocols. Note that Snort does
not currently know how to parse these protocols.
- tcp, udp,
icmp
- Abbreviations for:
ip proto p
where p is one of the above protocols.
- expr relop
expr
- True if the relation holds, where relop is one of >, <,
>=, <=, =, !=, and expr is an arithmetic expression composed
of integer constants (expressed in standard C syntax), the normal binary
operators [+, -, *, /, &, |], a length operator, and special packet
data accessors. To access data inside the packet, use the following
syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp, tcp, udp,
or icmp, and indicates the protocol layer for the index
operation. The byte offset, relative to the indicated protocol layer, is
given by expr. Size is optional and indicates the number of
bytes in the field of interest; it can be either one, two, or four, and
defaults to one. The length operator, indicated by the keyword len,
gives the length of the packet.
For example, `ether[0] & 1 != 0' catches all
multicast traffic. The expression `ip[0] & 0xf != 5' catches
all IP packets with options. The expression `ip[6:2] & 0x1fff =
0' catches only unfragmented datagrams and frag zero of fragmented
datagrams. This check is implicitly applied to the tcp and
udp index operations. For instance, tcp[0] always means
the first byte of the TCP header, and never means the first byte
of an intervening fragment.
Primitives may be combined using:
- A parenthesized group of primitives and operators (parentheses are special
to the Shell and must be escaped).
- Negation (`!' or `not').
- Concatenation (`&&' or `and').
- Alternation (`||' or `or').
Negation has highest precedence. Alternation and concatenation
have equal precedence and associate left to right. Note that explicit
and tokens, not juxtaposition, are now required for
concatenation.
If an identifier is given without a keyword, the most recent
keyword is assumed. For example,
not host vs and ace
is short for
not host vs and host ace
which should not be confused with
not ( host vs or ace )
Expression arguments can be passed to Snort as either a single
argument or as multiple arguments, whichever is more convenient. Generally,
if the expression contains Shell metacharacters, it is easier to pass it as
a single, quoted argument. Multiple arguments are concatenated with spaces
before being parsed.
Instead of having Snort listen on an interface, you can give it a
packet capture to read. Snort will read and analyze the packets as if they
came off the wire. This can be useful for testing and debugging Snort.
Read a single pcap
$ snort -r foo.pcap
$ snort --pcap-single=foo.pcap
Read pcaps from a file
$ cat foo.txt
foo1.pcap
foo2.pcap
/home/foo/pcaps
$ snort --pcap-file=foo.txt
This will read foo1.pcap, foo2.pcap and all files under
/home/foo/pcaps. Note that Snort will not try to determine whether the files
under that directory are really pcap files or not.
Read pcaps from a command line list
$ snort --pcap-list="foo1.pcap foo2.pcap
foo3.pcap"
This will read foo1.pcap, foo2.pcap and foo3.pcap.
Read pcaps under a directory
$ snort --pcap-dir="/home/foo/pcaps"
This will include all of the files under /home/foo/pcaps.
Using filters
$ cat foo.txt
foo1.pcap
foo2.pcap
/home/foo/pcaps
$ snort --pcap-filter="*.pcap" --pcap-file=foo.txt
$ snort --pcap-filter="*.pcap"
--pcap-dir=/home/foo/pcaps
The above will only include files that match the shell pattern
"*.pcap", in other words, any file ending in
".pcap".
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-filter="*.cap"
--pcap-dir=/home/foo/pcaps
In the above, the first filter "*.pcap" will only be
applied to the pcaps in the file "foo.txt" (and any directories
that are recursed in that file). The addition of the second filter
"*.cap" will cause the first filter to be forgotten and then
applied to the directory /home/foo/pcaps, so only files ending in
".cap" will be included from that directory.
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-no-filter --pcap-dir=/home/foo/pcaps
In this example, the first filter will be applied to foo.txt, then
no filter will be applied to the files found under /home/foo/pcaps, so all
files found under /home/foo/pcaps will be included.
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-no-filter --pcap-dir=/home/foo/pcaps \
> --pcap-filter="*.cap"
--pcap-dir=/home/foo/pcaps2
In this example, the first filter will be applied to foo.txt, then
no filter will be applied to the files found under /home/foo/pcaps, so all
files found under /home/foo/pcaps will be included, then the filter
"*.cap" will be applied to files found under /home/foo/pcaps2.
Resetting state
$ snort --pcap-dir=/home/foo/pcaps --pcap-reset
The above example will read all of the files under
/home/foo/pcaps, but after each pcap is read, Snort will be reset to a
post-configuration state, meaning all buffers will be flushed, statistics
reset, etc. For each pcap, it will be like Snort is seeing traffic for the
first time.
Printing the pcap
$ snort --pcap-dir=/home/foo/pcaps --pcap-show
The above example will read all of the files under /home/foo/pcaps
and will print a line indicating which pcap is currently being read.
Snort uses a simple but flexible rules language to describe
network packet signatures and associate them with actions. The current rules
document can be found at http://www.snort.org/snort-rules.
The following signals have the specified effect when sent to the
daemon process using the kill(1) command:
- SIGHUP
- Causes the daemon to close all opened files and restart. Please
note that this will only work if the full pathname is used
to invoke snort in daemon mode, otherwise snort will just exit with an
error message being sent to syslogd(8).
- SIGUSR1
- Causes the program to dump its current packet statistical information to
the console or syslogd(8) if in daemon mode.
- SIGUSR2
- Causes the program to rotate Perfmonitor statistical information to the
console or syslogd(8) if in daemon mode.
- SIGURG
- Causes the program to reload attribute table.
- SIGCHLD
- Used internally.
Please refer to manual for more details. Any other signal might
cause the daemon to close all opened files and exit.
In Debian, there are several ways in which Snort can be
configured. The configuration file /etc/snort/snort.conf provides the
configuration for the software itself. Users can customise this
configuration. In systems which have multiple interfaces, it is possible to
have a different Snort instance per network interface and adjust the
specific configuration for one interface using
/etc/snort/snort.INTERFACE.conf (where INTERFACE should be
replaced by the interface name).
There are additional configuration files in /etc/snort which
modify Snort behaviour. These include: attribute_table.dtd, file_magic.conf,
threshold.conf and unicode.map
In addition, Debian provides a specific configuration file to
manage the startup of Snort through the /etc/snort/snort.debian.conf
configuration file. This file is modified by the packaging system, using
debconf, and defines whether Snort is to be started up on system boot
or manually, defines specific options for the Snort daemon when it is
started and sets values to be used by the snort-stat cron script (if
enabled).
Finally, the configuration file /etc/default/snort is used
to define parameters which are applicable to the Snort startup (init.d)
script. These include: daemon startup parameters, user and group Snort will
run as, log directory and whether to run Snort when the interfaces to be
monitored are not available.
In Debian, the Snort logs are available under
/var/log/snort/ and includes /var/log/snort/snort.log,
/var/log/snort/snort.alert and
/var/log/snort/snort.alert.fast
The first two of these logs are saved using the unified format
which can be read using the u2spewfoo tool. For more information read
/usr/share/doc/snort/README.unified2 which is provided by the snort-doc
package. The log files in unified2 format can also be converted to other
formats (currently only pcap is supported) using the u2boat tool. The
last log file (snort.alert.fast) is a one line format that provides fast
alerts. These alerts are read by the snort-stat and sent by email to
a designed administrator if eneabled in the Debian package
configuration.
The location of the the log directory can be adjusted through the
configuration of the LOGDIR parameter in the
/etc/default/snort configuration file.
The log file /var/log/snort/snort.log contains the packets
logged, while the /var/log/snort/snort.alert contains only the alerts
generated.
In addition to this, all alerts are logged into syslog using
LOG_AUTH and LOG_ALERT.
The logging and alerting mode can be modified by configuring the
/etc/snort/snort.conf file.
Snort has been freely available under the GPL license since
1998.
Snort returns a 0 on a successful exit, 1 if it exits on an
error.
After consulting the BUGS file included with the source
distributon and available in Debian systems in /usr/share/doc/BUGS, as well
as the Debian-specific bugs published in
https://bugs.debian.org/cgi-bin/pkgreport.cgi?package=snort please send bug
reports to Debian using the reportbug program. For more information
about reporting bugs in Debian please read
https://www.debian.org/Bugs/Reporting
If you believe the bug lies with the upstream package, please send
bug reports directly to snort-devel@lists.snort.org
The main author of Snort is Martin Roesch
<roesch@snort.org>
In addition, many people have contributed to Snort development.
For a full list please read /usr/share/doc/snort/CREDITS.gz
This Debian package was created by Christian Hammers
<ch@debian.org> (from 1999 to 2001), Robert van der Meulen
<rvdm@debian.org> (2001 to 2002), Sander Smeenk
<ssmeenk@debian.org> (2002 to 2004) and Javier
Fernández-Sanguino <jfs@debian.org> (2004 to 2020). It includes
with contributions from many different Debian developers and users. All of
them are credited in the Debian changelog file which can be found at
/usr/share/doc/snort/changelog.Debian.gz and
/usr/share/doc/snort/copyright