Snort can be configured to run in the following modes:

Mode Description
Sniffer Read packets off of the network and display in a continuous stream on the console (screen).
Packet Logger Log packets to disk.
Network Intrusion Detection System (NIDS) Analyze network traffic for matches against a user-defined rule set and perform actions based on results
Inline Mode Obtain packets from iptables instead of from libpcap and then causes iptables to drop or pass packets based on Snort rules that use inline-specific rule types.

Sniffer Mode

To print out the TCP/IP packet headers to the screen:

$ snort -v

04/09-12:09:58.857395 ->
TCP TTL:64 TOS:0x10 ID:27989 IpLen:20 DgmLen:100 DF
***AP*** Seq: 0xD4D6A84  Ack: 0xB2E77A1C  Win: 0x2A80  TcpLen: 32
***AP*** Seq: 0xD4D6A84  Ack: 0xB2E77A1C  Win: 0x2A80  TcpLen: 32

To see the application data in transit:

$ snort -vd

To show the data link layer headers:

$ snort -vde


Packet Logger Mode

To record the packets to the disk specify a logging directory, and Snort will automatically know to go into packet logger mode:

./snort -dev -l ./log

Snort will collect every packet it sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram. In order to log relative to the home network, you need to tell Snort which network is the home network:

./snort -dev -l ./log -h

This rule tells Snort to print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host.

See Also

  2. Linux Security
  3. nmap