1SNORT(8) System Manager's Manual SNORT(8)
2
6 Snort - open source network intrusion detection system
7
9 snort [-bCdDeEfHIMNoOpqQsTUvVwWxXy?] [-A alert-mode ] [-B address-con‐
10 version-mask ] [-c rules-file ] [-F bpf-file ] [-g grpname ] [-G id ]
11 [-h home-net ] [-i interface ] [-J port ] [-k checksum-mode ] [-K log‐
12 ging-mode ] [-l log-dir ] [-L bin-log-file ] [-m umask ] [-n packet-
13 count ] [-P snap-length ] [-r tcpdump-file ] [-R name ] [-S vari‐
14 able=value ] [-t chroot_directory ] [-u usrname ] [-Z pathname ]
15 [--logid id ] [--perfmon-file pathname ] [--pid-path pathname ]
16 [--snaplen snap-length ] [--help ] [--version ] [--dynamic-engine-lib
17 file ] [--dynamic-engine-lib-dir directory ] [--dynamic-detection-lib
18 file ] [--dynamic-detection-lib-dir directory ] [--dump-dynamic-rules
19 directory ] [--dynamic-preprocessor-lib file ] [--dynamic-preprocessor-
20 lib-dir directory ] [--alert-before-pass ] [--treat-drop-as-alert ]
21 [--process-all-events ] [--create-pidfile ] [--nolock-pidfile ] [--dis‐
22 able-inline-initialization ] [--pcap-single= tcpdump-file ] [--pcap-
23 filter= filter ] [--pcap-list= list ] [--pcap-dir= directory ] [--pcap-
24 file= file ] [--pcap-no-filter ] [--pcap-reset ] [--pcap-show count ]
25 [--conf-error-out ] [--require-rule-sid ] expression
26
28 Snort is an open source network intrusion detection system, capable of
29 performing real-time traffic analysis and packet logging on IP net‐
30 works. It can perform protocol analysis, content searching/matching
31 and can be used to detect a variety of attacks and probes, such as buf‐
32 fer overflows, stealth port scans, CGI attacks, SMB probes, OS finger‐
33 printing attempts, and much more. Snort uses a flexible rules language
34 to describe traffic that it should collect or pass, as well as a detec‐
35 tion engine that utilizes a modular plugin architecture. Snort also
36 has a modular real-time alerting capability, incorporating alerting and
37 logging plugins for syslog, a ASCII text files, UNIX sockets, database
38 (Mysql/PostgreSQL/Oracle/ODBC) or XML.
39 Snort has three primary uses. It can be used as a straight packet
41 sniffer like tcpdump(1), a packet logger (useful for network traffic
42 debugging, etc), or as a full blown network intrusion detection system.
43 Snort logs packets in tcpdump(1) binary format, to a database or in
45 Snort's decoded ASCII format to a hierarchy of logging directories that
46 are named based on the IP address of the "foreign" host.
47
49 -A alert-mode
50 Alert using the specified alert-mode. Valid alert modes include
51 fast, full, none, and unsock. Fast writes alerts to the default
52 "alert" file in a single-line, syslog style alert message. Full
53 writes the alert to the "alert" file with the full decoded
54 header as well as the alert message. None turns off alerting.
55 Unsock is an experimental mode that sends the alert information
56 out over a UNIX socket to another process that attaches to that
57 socket.
58 -b Log packets in a tcpdump(1) formatted file. All packets are
60 logged in their native binary state to a tcpdump formatted log
61 file named with the snort start timestamp and "snort.log". This
62 option results in much faster operation of the program
63 since it doesn't have to spend time in the packet binary->text
64 converters. Snort can keep up pretty well with 100Mbps networks
65 in '-b' mode. To choose an alternate name for the binary log
66 file, use the '-L' switch.
67 -B address-conversion-mask
69 Convert all IP addresses in home-net to addresses specified by
70 address-conversion-mask. Used to obfuscate IP addresses within
71 binary logs. Specify home-net with the '-h' switch. Note this
72 is not the same as $HOME_NET.
73 -c config-file
75 Use the rules located in file config-file.
76 -C Print the character data from the packet payload only (no hex).
78 -d Dump the application layer data when displaying packets in ver‐
80 bose or packet logging mode.
81 -D Run Snort in daemon mode. Alerts are sent to
83 /var/log/snort/alert unless otherwise specified.
84 -e Display/log the link layer packet headers.
86 -E *WIN32 ONLY* Log alerts to the Windows Event Log.
88 -f Activate PCAP line buffering
90 -F bpf-file
92 Read BPF filters from bpf-file. This is handy for people run‐
93 ning Snort as a SHADOW replacement or with a love Of super com‐
94 plex BPF filters. See the "expressions" section of this man
95 page for more info on writing BPF fileters.
96 -g group
98 Change the group/GID Snort runs under to group after initializa‐
99 tion. This switch allows Snort to drop root priveleges after
100 it's initialization phase has completed as a security measure.
101 -G id Use id as a base event ID when logging events. Useful for dis‐
103 tinguishing events logged to the same database from multiple
104 snort instances.
105 -h home-net
107 Set the "home network" to home-net. The format of this address
108 variable is a network prefix plus a CIDR block, such as
109 192.168.1.0/24. Once this variable is set, all decoded packet
110 logging will be done relative to the home network address space.
111 This is useful because of the way that Snort formats its ASCII
112 log data. With this value set to the local network, all decoded
113 output will be logged into decode directories with the address
114 of the foreign computer as the directory name, which is very
115 useful during traffic analysis.
116 -H Force hash tables to be deterministic instead of using a random
118 number generator for the seed & scale. Useful for testing and
119 generating repeatable results with the same traffic.
120 -i interface
122 Sniff packets on interface.
123 -I Print out the receiving interface name in alerts.
125 -J port
127 Use port to read packets when running inline mode on system with
128 divert socket.
129 -k checksum-mode
131 Tune the internal checksum verification functionality with
132 alert-mode. Valid checksum modes include all, noip, notcp,
133 noudp, noicmp, and none. All activates checksum verification
134 for all supported protocols. Noip turns off IP checksum verifi‐
135 cation, which is handy if the gateway router is already dropping
136 packets that fail their IP checksum checks. Notcp turns off TCP
137 checksum verification, all other checksum modes are on. noudp
138 turns off UDP checksum verification. Noicmp turns off ICMP
139 checksum verification. None turns off the entire checksum veri‐
140 fication subsystem.
141 -K logging-mode
143 Select a packet logging mode. The default is pcap. logging-
144 mode. Valid logging modes include pcap, ascii, and none. Pcap
145 logs packets through the pcap library into pcap (tcpdump) for‐
146 mat. Ascii logs packets in the old "directories and files" for‐
147 mat with packet printouts in each file. None Turns off packet
148 logging.
149 -l log-dir
151 Set the output logging directory to log-dir. All plain text
152 alerts and packet logs go into this directory. If this option
153 is not specified, the default logging directory is set to
154 /var/log/snort.
155 -L binary-log-file
157 Set the filename of the binary log file to binary-log-file. If
158 this switch is not used, the default name is a timestamp for the
159 time that the file is created plus "snort.log".
160 -m umask
162 Set the file mode creation mask to umask
163 -M Log console messages to syslog when not running daemon mode.
165 This switch has no impact on logging of alerts.
166 -n packet-count
168 Process packet-count packets and exit.
169 -N Turn off packet logging. The program still generates alerts
171 normally.
172 -O Obfuscate the IP addresses when in ASCII packet dump mode. This
174 switch changes the IP addresses that get printed to the
175 screen/log file to "xxx.xxx.xxx.xxx". If the homenet address
176 switch is set (-h), only addresses on the homenet will be obfus‐
177 cated while non- homenet IPs will be left visible. Perfect for
178 posting to your favorite security mailing list!
179 -p Turn off promiscuous mode sniffing.
181 -P snap-length
183 Set the packet snaplen to snap-length
184 -q Quiet operation. Don't display banner and initialization infor‐
186 mation.
187 -Q Read packets from iptables/IPQ (Linux only) when running in-line
189 mode.
190 -r tcpdump-file
192 Read the tcpdump-formatted file tcpdump-file. This will cause
193 Snort to read and process the file fed to it. This is useful
194 if, for instance, you've got a bunch of SHADOW files that you
195 want to process for content, or even if you've got a bunch of
196 reassembled packet fragments which have been written into a tcp‐
197 dump formatted file.
198 -R name
200 Use name as a suffix to the snort pidfile.
201 -s Send alert messages to syslog. On linux boxen, they will appear
203 in /var/log/secure, /var/log/messages on many other platforms.
204 -S variable=value
206 Set variable name "variable" to value "value". This is useful
207 for setting the value of a defined variable name in a Snort
208 rules file to a command line specified value. For instance, if
209 you define a HOME_NET variable name inside of a Snort rules
210 file, you can set this value from it's predefined value at the
211 command line.
212 -t chroot
214 Changes Snort's root directory to chroot after initialization.
215 Please note that all log/alert filenames are relative to the
216 chroot directory if chroot is used.
217 -T Snort will start up in self-test mode, checking all the supplied
219 command line switches and rules files that are handed to it and
220 indicating that everything is ready to proceed. This is a good
221 switch to use if daemon mode is going to be used, it verifies
222 that the Snort configuration that is about to be used is valid
223 and won't fail at run time. Note, Snort looks for either
224 /etc/snort.conf or ./snort.conf. If your config lives else‐
225 where, use the -c option to specify a valid config-file.
226 -u user
228 Change the user/UID Snort runs under to user after initializa‐
229 tion.
230 -U Changes the timestamp in all logs to be in UTC
232 -v Be verbose. Prints packets out to the console. There is one
234 big problem with verbose mode: it's slow. If you are doing IDS
235 work with Snort, don't use the '-v' switch, you WILL drop pack‐
236 ets.
237 -V Show the version number and exit.
239 -w Show management frames if runnong on an 802.11 (wireless) net‐
241 work.
242 -W *WIN32 ONLY* Enumerate the network interfaces available.
244 -x Exit if Snort configuration problems occur such as duplicate
246 gid/sid or flowbits without Stream5.
247 -X Dump the raw packet data starting at the link layer. This
249 switch overrides the '-d' switch.
250 -y Include the year in alert and log files
252 -Z pathname
254 Set the perfmonitor preprocessor path/filename to pathname.
255 -? Show the program usage statement and exit.
257 --logid id
259 Same as -G.
260 --perfmon-file pathname
262 Same as -Z.
263 --pid-path directory
265 Specify the directory for the Snort PID file.
266 --snaplen snap-length
268 Same as -P.
269 --help Same as -?
271 --version
273 Same as -V
274 --dynamic-engine-lib file
276 Load a dynamic detection engine shared library specified by
277 file.
278 --dynamic-engine-lib-dir directory
280 Load all dynamic detection engine shared libraries specified
281 from directory.
282 --dynamic-detection-lib file
284 Load a dynamic detection rules shared library specified by file.
285 --dynamic-detection-lib-dir directory
287 Load all dynamic detection rules shared libraries specified from
288 directory.
289 --dump-dynamic-rules directory
291 Create stub rule files from all loaded dynamic detection rules
292 libraries. Files will be created in directory. This is
293 required to be done prior to running snort using those detection
294 rules and the generated rules files must be included in
295 snort.conf.
296 --dynamic-preprocessor-lib file
298 Load a dynamic preprocessor shared library specified by file.
299 --dynamic-preprocessor-lib-dir directory
301 Load all dynamic preprocessor shared libraries specified from
302 directory.
303 --alert-before-pass
305 Process alert, drop, sdrop, or reject before pass. Default is
306 pass before alert, drop, etc.
307 --treat-drop-as-alert
309 Converts drop, sdrop, and reject rules into alert rules during
310 startup.
311 --process-all-events
313 Process all triggered events in group order, per Rule Ordering
314 configuration. Default stops after first group.
315 --pid-path directory
317 Specify the path for Snort's PID file.
318 --create-pidfile
320 Create PID file, even when not in Daemon mode.
321 --nolock-pidfile
323 Do not try to lock Snort PID file.
324 --disable-inline-initialization
326 Do not initialize IPTables when in inline mode. To be used with
327 -T to test for a valid configuration without requiring opening
328 inline devices and adversely affecting traffic flow.
329 --pcap-single=tcpdump-file
331 Same as -r. Added for completeness.
332 --pcap-filter=filter
334 Shell style filter to apply when getting pcaps from file or
335 directory. This filter will apply to any --pcap-file or --pcap-
336 dir arguments following. Use --pcap-no-filter to delete filter
337 for following --pcap-file or --pcap-dir arguments or specifiy
338 --pcap-filter again to forget previous filter and to apply to
339 following --pcap-file or --pcap-dir arguments.
340 --pcap-list="list"
342 A space separated list of pcaps to read.
343 --pcap-dir=directory
345 A directory to recurse to look for pcaps. Sorted in ascii
346 order.
347 --pcap-file=file
349 File that contains a list of pcaps to read. Can specifiy path
350 to pcap or directory to recurse to get pcaps.
351 --pcap-no-filter
353 Reset to use no filter when getting pcaps from file or direc‐
354 tory.
355 --pcap-reset
357 If reading multiple pcaps, reset snort to post-configuration
358 state before reading next pcap. The default, i.e. without this
359 option, is not to reset state.
360 --pcap-show
362 Print a line saying what pcap is currently being read.
363 --exit-check=count
365 Signal termination after <count> callbacks from pcap_dispatch(),
366 showing the time it takes from signaling until pcap_close() is
367 called.
368 --conf-error-out
370 Same as -x.
371 --require-rule-sid
373 Require an SID for every rule to be correctly hreshold all
374 rules.
375 expression
378 selects which packets will be dumped. If no expression is
379 given, all packets on the net will be dumped. Otherwise, only
380 packets for which expression is `true' will be dumped.
381 The expression consists of one or more primitives. Primitives
383 usually consist of an id (name or number) preceded by one or
384 more qualifiers. There are three different kinds of qualifier:
385 type qualifiers say what kind of thing the id name or number
387 refers to. Possible types are host, net and port. E.g.,
388 `host foo', `net 128.3', `port 20'. If there is no type
389 qualifier, host is assumed.
390 dir qualifiers specify a particular transfer direction to
392 and/or from id. Possible directions are src, dst, src or
393 dst and src and dst. E.g., `src foo', `dst net 128.3',
394 `src or dst port ftp-data'. If there is no dir quali‐
395 fier, src or dst is assumed. For `null' link layers
396 (i.e. point to point protocols such as slip) the inbound
397 and outbound qualifiers can be used to specify a desired
398 direction.
399 proto qualifiers restrict the match to a particular protocol.
401 Possible protos are: ether, fddi, ip, arp, rarp, decnet,
402 lat, sca, moprc, mopdl, tcp and udp. E.g., `ether src
403 foo', `arp net 128.3', `tcp port 21'. If there is no
404 proto qualifier, all protocols consistent with the type
405 are assumed. E.g., `src foo' means `(ip or arp or rarp)
406 src foo' (except the latter is not legal syntax), `net
407 bar' means `(ip or arp or rarp) net bar' and `port 53'
408 means `(tcp or udp) port 53'.
409 [`fddi' is actually an alias for `ether'; the parser treats them
411 identically as meaning ``the data link level used on the speci‐
412 fied network interface.'' FDDI headers contain Ethernet-like
413 source and destination addresses, and often contain Ethernet-
414 like packet types, so you can filter on these FDDI fields just
415 as with the analogous Ethernet fields. FDDI headers also con‐
416 tain other fields, but you cannot name them explicitly in a fil‐
417 ter expression.]
418 In addition to the above, there are some special `primitive'
420 keywords that don't follow the pattern: gateway, broadcast,
421 less, greater and arithmetic expressions. All of these are
422 described below.
423 More complex filter expressions are built up by using the words
425 and, or and not to combine primitives. E.g., `host foo and not
426 port ftp and not port ftp-data'. To save typing, identical
427 qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-
428 data or domain' is exactly the same as `tcp dst port ftp or tcp
429 dst port ftp-data or tcp dst port domain'.
430 Allowable primitives are:
432 dst host host
434 True if the IP destination field of the packet is host,
435 which may be either an address or a name.
436 src host host
438 True if the IP source field of the packet is host.
439 host host
441 True if either the IP source or destination of the packet
442 is host. Any of the above host expressions can be
443 prepended with the keywords, ip, arp, or rarp as in:
444 ip host host
445 which is equivalent to:
446 ether proto \ip and host host
447 If host is a name with multiple IP addresses, each
448 address will be checked for a match.
449 ether dst ehost
451 True if the ethernet destination address is ehost. Ehost
452 may be either a name from /etc/ethers or a number (see
453 ethers(3N) for numeric format).
454 ether src ehost
456 True if the ethernet source address is ehost.
457 ether host ehost
459 True if either the ethernet source or destination address
460 is ehost.
461 gateway host
463 True if the packet used host as a gateway. I.e., the
464 ethernet source or destination address was host but nei‐
465 ther the IP source nor the IP destination was host. Host
466 must be a name and must be found in both /etc/hosts and
467 /etc/ethers. (An equivalent expression is
468 ether host ehost and not host host
469 which can be used with either names or numbers for host /
470 ehost.)
471 dst net net
473 True if the IP destination address of the packet has a
474 network number of net. Net may be either a name from
475 /etc/networks or a network number (see networks(4) for
476 details).
477 src net net
479 True if the IP source address of the packet has a network
480 number of net.
481 net net
483 True if either the IP source or destination address of
484 the packet has a network number of net.
485 net net mask mask
487 True if the IP address matches net with the specific net‐
488 mask. May be qualified with src or dst.
489 net net/len
491 True if the IP address matches net a netmask len bits
492 wide. May be qualified with src or dst.
493 dst port port
495 True if the packet is ip/tcp or ip/udp and has a destina‐
496 tion port value of port. The port can be a number or a
497 name used in /etc/services (see tcp(4P) and udp(4P)). If
498 a name is used, both the port number and protocol are
499 checked. If a number or ambiguous name is used, only the
500 port number is checked (e.g., dst port 513 will print
501 both tcp/login traffic and udp/who traffic, and port
502 domain will print both tcp/domain and udp/domain traf‐
503 fic).
504 src port port
506 True if the packet has a source port value of port.
507 port port
509 True if either the source or destination port of the
510 packet is port. Any of the above port expressions can be
511 prepended with the keywords, tcp or udp, as in:
512 tcp src port port
513 which matches only tcp packets whose source port is port.
514 less length
516 True if the packet has a length less than or equal to
517 length. This is equivalent to:
518 len <= length.
519 greater length
521 True if the packet has a length greater than or equal to
522 length. This is equivalent to:
523 len >= length.
524 ip proto protocol
526 True if the packet is an ip packet (see ip(4P)) of proto‐
527 col type protocol. Protocol can be a number or one of
528 the names icmp, igrp, udp, nd, or tcp. Note that the
529 identifiers tcp, udp, and icmp are also keywords and must
530 be escaped via backslash (\), which is \\ in the C-shell.
531 ether broadcast
533 True if the packet is an ethernet broadcast packet. The
534 ether keyword is optional.
535 ip broadcast
537 True if the packet is an IP broadcast packet. It checks
538 for both the all-zeroes and all-ones broadcast conven‐
539 tions, and looks up the local subnet mask.
540 ether multicast
542 True if the packet is an ethernet multicast packet. The
543 ether keyword is optional. This is shorthand for
544 `ether[0] & 1 != 0'.
545 ip multicast
547 True if the packet is an IP multicast packet.
548 ether proto protocol
550 True if the packet is of ether type protocol. Protocol
551 can be a number or a name like ip, arp, or rarp. Note
552 these identifiers are also keywords and must be escaped
553 via backslash (\). [In the case of FDDI (e.g., `fddi
554 protocol arp'), the protocol identification comes from
555 the 802.2 Logical Link Control (LLC) header, which is
556 usually layered on top of the FDDI header. Tcpdump
557 assumes, when filtering on the protocol identifier, that
558 all FDDI packets include an LLC header, and that the LLC
559 header is in so-called SNAP format.]
560 decnet src host
562 True if the DECNET source address is host, which may be
563 an address of the form ``10.123'', or a DECNET host name.
564 [DECNET host name support is only available on Ultrix
565 systems that are configured to run DECNET.]
566 decnet dst host
568 True if the DECNET destination address is host.
569 decnet host host
571 True if either the DECNET source or destination address
572 is host.
573 ip, arp, rarp, decnet
575 Abbreviations for:
576 ether proto p
577 where p is one of the above protocols.
578 lat, moprc, mopdl
580 Abbreviations for:
581 ether proto p
582 where p is one of the above protocols. Note that Snort
583 does not currently know how to parse these protocols.
584 tcp, udp, icmp
586 Abbreviations for:
587 ip proto p
588 where p is one of the above protocols.
589 expr relop expr
591 True if the relation holds, where relop is one of >, <,
592 >=, <=, =, !=, and expr is an arithmetic expression com‐
593 posed of integer constants (expressed in standard C syn‐
594 tax), the normal binary operators [+, -, *, /, &, |], a
595 length operator, and special packet data accessors. To
596 access data inside the packet, use the following syntax:
597 proto [ expr : size ]
598 Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or
599 icmp, and indicates the protocol layer for the index
600 operation. The byte offset, relative to the indicated
601 protocol layer, is given by expr. Size is optional and
602 indicates the number of bytes in the field of interest;
603 it can be either one, two, or four, and defaults to one.
604 The length operator, indicated by the keyword len, gives
605 the length of the packet.
606 For example, `ether[0] & 1 != 0' catches all multicast
608 traffic. The expression `ip[0] & 0xf != 5' catches all
609 IP packets with options. The expression `ip[6:2] & 0x1fff
610 = 0' catches only unfragmented datagrams and frag zero of
611 fragmented datagrams. This check is implicitly applied
612 to the tcp and udp index operations. For instance,
613 tcp[0] always means the first byte of the TCP header, and
614 never means the first byte of an intervening fragment.
615 Primitives may be combined using:
617 A parenthesized group of primitives and operators (paren‐
619 theses are special to the Shell and must be escaped).
620 Negation (`!' or `not').
622 Concatenation (`&&' or `and').
624 Alternation (`||' or `or').
626 Negation has highest precedence. Alternation and concatenation
628 have equal precedence and associate left to right. Note that
629 explicit and tokens, not juxtaposition, are now required for
630 concatenation.
631 If an identifier is given without a keyword, the most recent
633 keyword is assumed. For example,
634 not host vs and ace
635 is short for
636 not host vs and host ace
637 which should not be confused with
638 not ( host vs or ace )
639 Expression arguments can be passed to Snort as either a single
641 argument or as multiple arguments, whichever is more convenient.
642 Generally, if the expression contains Shell metacharacters, it
643 is easier to pass it as a single, quoted argument. Multiple
644 arguments are concatenated with spaces before being parsed.
645
647 Instead of having Snort listen on an interface, you can give it a
648 packet capture to read. Snort will read and analyze the packets as if
649 they came off the wire. This can be useful for testing and debugging
650 Snort.
651 Read a single pcap
653 $ snort -r foo.pcap
655 $ snort --pcap-single=foo.pcap
656 Read pcaps from a file
658 $ cat foo.txt
660 foo1.pcap
661 foo2.pcap
662 /home/foo/pcaps
663 $ snort --pcap-file=foo.txt
665 This will read foo1.pcap, foo2.pcap and all files under
667 /home/foo/pcaps. Note that Snort will not try to determine
668 whether the files under that directory are really pcap files or
669 not.
670 Read pcaps from a command line list
672 $ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap"
674 This will read foo1.pcap, foo2.pcap and foo3.pcap.
676 Read pcaps under a directory
678 $ snort --pcap-dir="/home/foo/pcaps"
680 This will include all of the files under /home/foo/pcaps.
682 Using filters
684 $ cat foo.txt
686 foo1.pcap
687 foo2.pcap
688 /home/foo/pcaps
689 $ snort --pcap-filter="*.pcap" --pcap-file=foo.txt
691 $ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps
692 The above will only include files that match the shell pattern
694 "*.pcap", in other words, any file ending in ".pcap".
695 $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
697 > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps
698 In the above, the first filter "*.pcap" will only be applied to
700 the pcaps in the file "foo.txt" (and any directories that are
701 recursed in that file). The addition of the second filter "*.cap"
702 will cause the first filter to be forgotten and then applied to
703 the directory /home/foo/pcaps, so only files ending in ".cap" will
704 be included from that directory.
705 $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
707 > --pcap-no-filter --pcap-dir=/home/foo/pcaps
708 In this example, the first filter will be applied to foo.txt, then
710 no filter will be applied to the files found under
711 /home/foo/pcaps, so all files found under /home/foo/pcaps will be
712 included.
713 $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
715 > --pcap-no-filter --pcap-dir=/home/foo/pcaps \
716 > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2
717 In this example, the first filter will be applied to foo.txt, then
719 no filter will be applied to the files found under
720 /home/foo/pcaps, so all files found under /home/foo/pcaps will be
721 included, then the filter "*.cap" will be applied to files found
722 under /home/foo/pcaps2.
723 Resetting state
725 $ snort --pcap-dir=/home/foo/pcaps --pcap-reset
727 The above example will read all of the files under
729 /home/foo/pcaps, but after each pcap is read, Snort will be reset
730 to a post-configuration state, meaning all buffers will be
731 flushed, statistics reset, etc. For each pcap, it will be like
732 Snort is seeing traffic for the first time.
733 Printing the pcap
735 $ snort --pcap-dir=/home/foo/pcaps --pcap-show
737 The above example will read all of the files under /home/foo/pcaps
739 and will print a line indicating which pcap is currently being
740 read.
741
743 Snort uses a simple but flexible rules language to describe network
744 packet signatures and associate them with actions. The current rules
745 document can be found at http://www.snort.org/snort_rules.html.
746
748 The following signals have the specified effect when sent to the daemon
749 process using the kill(1) command:
750 SIGHUP Causes the daemon to close all opened files and restart. Please
752 note that this will only work if the full pathname is used to
753 invoke snort in daemon mode, otherwise snort will just exit with
754 an error message being sent to syslogd(8)
755 SIGUSR1
757 Causes the program to dump its current packet statistical infor‐
758 mation to the console or syslogd(8) if in daemon mode.
759 Any other signal causes the daemon to close all opened files and exit.
761
764 Snort has been freely available under the GPL license since 1998.
765
767 Snort returns a 0 on a successful exit, 1 if it exits on an error.
768
770 After consulting the BUGS file included with the source distribution,
771 send bug reports to snort-devel@lists.sourceforge.net
772
774 Martin Roesch <roesch@snort.org>
775
777 tcpdump(1), pcap(3)
778 February 2009 SNORT(8)