snort Version 2.3.2

 


  1. snort_manual.pdf
  2. snort_schema_v106.pdf
  3. faq.pdf
  4. AUTHORS
  5. BUGS
  6. CREDITS
  7. INSTALL
  8. Makefile
  9. Makefile.am
  10. Makefile.in
  11. NEWS
  12. PROBLEMS
  13. README
  14. README.FLEXRESP
  15. README.INLINE
  16. README.PLUGINS
  17. README.UNSOCK
  18. README.WIN32
  19. README.alert_order
  20. README.asn1
  21. README.database
  22. README.event_queue
  23. README.flow
  24. README.flow-portscan
  25. README.flowbits
  26. README.http_inspect
  27. README.sfportscan
  28. README.thresholding
  29. README.wireless
  30. RULES.todo
  31. TODO
  32. USAGE
  33. WISHLIST

See Also:

  1. www.snort.org
  2. Linux Security
  3. nmap


 

Overview

Snort can be configured to run in the following modes:

Mode Description
Sniffer Read packet off of the network and display in a continuous stream on the console (screen).
Packet Logger Log packets to disk.
Network Intrusion Detection System (NIDS) Analyze network traffic for matches against a user-defined rule set and perform actions based on results
Inline Mode Obtain packets from iptables instead of from libpcap and then causes iptables to drop or pass packets based on Snort rules that use inline-specific rule types.

Sniffer Mode

To print out the TCP/IP packet headers to the screen:

$ snort -v

04/09-12:09:58.857395 192.168.0.190:22 -> 192.168.0.12:47223
TCP TTL:64 TOS:0x10 ID:27989 IpLen:20 DgmLen:100 DF
***AP*** Seq: 0xD4D6A84  Ack: 0xB2E77A1C  Win: 0x2A80  TcpLen: 32
***AP*** Seq: 0xD4D6A84  Ack: 0xB2E77A1C  Win: 0x2A80  TcpLen: 32

To see the application data in transit:

$ snort -vd

To show the data link layer headers:

$ snort -vde

 

Packet Logger Mode

To record the packets to the disk specify a logging directory, and Snort will automatically know to go into packet logger mode:

./snort -dev -l ./log

Snort will collect every packet it sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram. In order to log relative to the home network, you need to tell Snort which network is the home network:

./snort -dev -l ./log -h 192.168.1.0/24

This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host.

 

Home