Snort

From NSMWiki
Jump to: navigation, search

Background

Official site: http://www.snort.org

Snort is an open source network intrusion detection system (NIDS), and runs on Windows, Linux, various unix, and all major BSD operating systems. Snort may also be used as a network sniffer without IDS capabilities, and may run "inline" as an Intrusion Prevention System on some operating systems. Snort monitors a network interface device on the host operating system and searches for predefined patterns in the traffic. The patterns are defined as snort rules (discussed in more depth below).

Output

Snort can report its findings in a number of output formats. These output formats include:

  • syslog
  • alert full
  • tcpdump
  • database
  • unified
  • alert prelude

Unified output is a binary format and considered the fastest logging method. Barnyard is the application that typically reads unified output files and converts the data into another format.

Rules

Snort rules define the patterns snort is looking for in network traffic. These rules are written using the snort rule language. There are a number of already written and available rules from snort.org and emergingthreats.com.

Configuration

(Work in progress)

Usage

$ snort -h
snort: option requires an argument -- h

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.4.3 (Build 26)
   '    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.
 NOTE: Snort's default output has changed in version 2.4.1!
       The default logging mode is now PCAP, use "-K ascii" to activate
       the old default logging mode.

USAGE: snort [-options] <filter options>
Options:
        -A         Set alert mode: fast, full, console, or none  (alert file alerts only)
                   "unsock" enables UNIX socket logging (experimental).
        -b         Log packets in tcpdump format (much faster!)
        -c <rules> Use Rules File <rules>
        -C         Print out payloads with character data only (no hex)
        -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode
        -e         Display the second layer header info
        -f         Turn off fflush() calls after binary log writes
        -F <bpf>   Read BPF filters from file <bpf>
        -g <gname> Run snort gid as <gname> group (or gid) after initialization
        -G <0xid>  Log Identifier (to uniquely id events for multiple snorts)
        -h <hn>    Home network = <hn>
        -i <if>    Listen on interface <if>
        -I         Add Interface name to alert output
        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)
        -K <mode>  Logging mode (pcap[default],ascii,none)
        -l <ld>    Log to directory <ld>
        -L <file>  Log to this tcpdump file
        -m <umask> Set umask = <umask>
        -n <cnt>   Exit after receiving <cnt> packets
        -N         Turn off logging (alerts still work)
        -o         Change the rule testing order to Pass|Alert|Log
        -O         Obfuscate the logged IP addresses
        -p         Disable promiscuous mode sniffing
        -P <snap>  Set explicit snaplen of packet (default: 1514)
        -q         Quiet. Don't show banner and status report
        -r <tf>    Read and process tcpdump file <tf>
        -R <id>    Include 'id' in snort_intf<id>.pid file name
        -s         Log alert messages to syslog
        -S <n=v>   Set rules file variable n equal to value v
        -t <dir>   Chroots process to <dir> after initialization
        -T         Test and report on the current Snort configuration
        -u <uname> Run snort uid as <uname> user (or uid) after initialization
        -U         Use UTC for timestamps
        -v         Be verbose
        -V         Show version number
        -w         Dump 802.11 management and control frames
        -X         Dump the raw packet data starting at the link layer
        -y         Include year in timestamp in the alert and log files
        -Z         Set the performonitor preprocessor file path and name
        -z         Set assurance mode, match on established sesions (for TCP)
        -?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump

Snort related links