snort
Overview
Snort can be configured to run in the following modes:
Mode Description Sniffer Read packets off of the network and display in a continuous stream on the console (screen). Packet Logger Log packets to disk. Network Intrusion Detection System (NIDS) Analyze network traffic for matches against a user-defined rule set and perform actions based on results Inline Mode Obtain packets from iptables instead of from libpcap and then causes iptables to drop or pass packets based on Snort rules that use inline-specific rule types.
Sniffer Mode
To print out the TCP/IP packet headers to the screen:$ snort -v 04/09-12:09:58.857395 192.168.0.190:22 -> 192.168.0.12:47223 TCP TTL:64 TOS:0x10 ID:27989 IpLen:20 DgmLen:100 DF ***AP*** Seq: 0xD4D6A84 Ack: 0xB2E77A1C Win: 0x2A80 TcpLen: 32 ***AP*** Seq: 0xD4D6A84 Ack: 0xB2E77A1C Win: 0x2A80 TcpLen: 32
To see the application data in transit:
$ snort -vd
To show the data link layer headers:
$ snort -vde
Packet Logger Mode
To record the packets to the disk specify a logging directory, and Snort will automatically know to go into packet logger mode:./snort -dev -l ./log
Snort will collect every packet it sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram. In order to log relative to the home network, you need to tell Snort which network is the home network:
./snort -dev -l ./log -h 192.168.1.0/24
This rule tells Snort to print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host.
See Also
