1SNORT(8) System Manager's Manual SNORT(8)
2
6 Snort - open source network intrusion detection system
7
9 snort [-bCdDeEfHIMNoOpqQsTUvVwWXy?] [-A alert-mode ] [-B address-con‐
10 version-mask ] [-c rules-file ] [-F bpf-file ] [-g grpname ] [-G id ]
11 [-h home-net ] [-i interface ] [-J port ] [-k checksum-mode ] [-K log‐
12 ging-mode ] [-l log-dir ] [-L bin-log-file ] [-m umask ] [-n packet-
13 count ] [-P snap-length ] [-r tcpdump-file ] [-R name ] [-S vari‐
14 able=value ] [-t chroot_directory ] [-u usrname ] [-Z pathname ]
15 [--logid id ] [--perfmon-file pathname ] [--pid-path pathname ]
16 [--snaplen snap-length ] [--help ] [--version ] [--dynamic-engine-lib
17 file ] [--dynamic-engine-lib-dir directory ] [--dynamic-detection-lib
18 file ] [--dynamic-detection-lib-dir directory ] [--dump-dynamic-rules
19 directory ] [--dynamic-preprocessor-lib file ] [--dynamic-preprocessor-
20 lib-dir directory ] [--dump-dynamic-preproc-genmsg directory ]
21 [--alert-before-pass ] [--treat-drop-as-alert ] [--process-all-events ]
22 [--create-pidfile ] [--nolock-pidfile ] [--disable-inline-initializa‐
23 tion ] [--pcap-single= tcpdump-file ] [--pcap-filter= filter ] [--pcap-
24 list= list ] [--pcap-dir= directory ] [--pcap-file= file ] [--pcap-no-
25 filter ] [--pcap-reset ] [--pcap-show ] expression
26
28 Snort is an open source network intrusion detection system, capable of
29 performing real-time traffic analysis and packet logging on IP net‐
30 works. It can perform protocol analysis, content searching/matching
31 and can be used to detect a variety of attacks and probes, such as buf‐
32 fer overflows, stealth port scans, CGI attacks, SMB probes, OS finger‐
33 printing attempts, and much more. Snort uses a flexible rules language
34 to describe traffic that it should collect or pass, as well as a detec‐
35 tion engine that utilizes a modular plugin architecture. Snort also
36 has a modular real-time alerting capability, incorporating alerting and
37 logging plugins for syslog, a ASCII text files, UNIX sockets, database
38 (Mysql/PostgreSQL/Oracle/ODBC) or XML.
39 Snort has three primary uses. It can be used as a straight packet
41 sniffer like tcpdump(1), a packet logger (useful for network traffic
42 debugging, etc), or as a full blown network intrusion detection system.
43 Snort logs packets in tcpdump(1) binary format, to a database or in
45 Snort's decoded ASCII format to a hierarchy of logging directories that
46 are named based on the IP address of the "foreign" host.
47
49 -A alert-mode
50 Alert using the specified alert-mode. Valid alert modes include
51 fast, full, none, and unsock. Fast writes alerts to the default
52 "alert" file in a single-line, syslog style alert message. Full
53 writes the alert to the "alert" file with the full decoded
54 header as well as the alert message. None turns off alerting.
55 Unsock is an experimental mode that sends the alert information
56 out over a UNIX socket to another process that attaches to that
57 socket.
58 -b Log packets in a tcpdump(1) formatted file. All packets are
60 logged in their native binary state to a tcpdump formatted log
61 file named with the snort start timestamp and "snort.log". This
62 option results in much faster operation of the program
63 since it doesn't have to spend time in the packet binary->text
64 converters. Snort can keep up pretty well with 100Mbps networks
65 in '-b' mode. To choose an alternate name for the binary log
66 file, use the '-L' switch.
67 -B address-conversion-mask
69 Convert all IP addresses in home-net to addresses specified by
70 address-conversion-mask. Used to obfuscate IP addresses within
71 binary logs. Specify home-net with the '-h' switch. Note this
72 is not the same as $HOME_NET.
73 -c config-file
75 Use the rules located in file config-file.
76 -C Print the character data from the packet payload only (no hex).
78 -d Dump the application layer data when displaying packets in ver‐
80 bose or packet logging mode.
81 -D Run Snort in daemon mode. Alerts are sent to
83 /var/log/snort/alert unless otherwise specified.
84 -e Display/log the link layer packet headers.
86 -E *WIN32 ONLY* Log alerts to the Windows Event Log.
88 -f Activate PCAP line buffering
90 -F bpf-file
92 Read BPF filters from bpf-file. This is handy for people run‐
93 ning Snort as a SHADOW replacement or with a love Of super com‐
94 plex BPF filters. See the "expressions" section of this man
95 page for more info on writing BPF fileters.
96 -g group
98 Change the group/GID Snort runs under to group after initializa‐
99 tion. This switch allows Snort to drop root priveleges after
100 it's initialization phase has completed as a security measure.
101 -G id Use id as a base event ID when logging events. Useful for dis‐
103 tinguishing events logged to the same database from multiple
104 snort instances.
105 -h home-net
107 Set the "home network" to home-net. The format of this address
108 variable is a network prefix plus a CIDR block, such as
109 192.168.1.0/24. Once this variable is set, all decoded packet
110 logging will be done relative to the home network address space.
111 This is useful because of the way that Snort formats its ASCII
112 log data. With this value set to the local network, all decoded
113 output will be logged into decode directories with the address
114 of the foreign computer as the directory name, which is very
115 useful during traffic analysis.
116 -H Force hash tables to be deterministic instead of using a random
118 number generator for the seed & scale. Useful for testing and
119 generating repeatable results with the same traffic.
120 -i interface
122 Sniff packets on interface.
123 -I Print out the receiving interface name in alerts.
125 -J port
127 Use port to read packets when running inline mode on system with
128 divert socket.
129 -k checksum-mode
131 Tune the internal checksum verification functionality with
132 alert-mode. Valid checksum modes include all, noip, notcp,
133 noudp, noicmp, and none. All activates checksum verification
134 for all supported protocols. Noip turns off IP checksum verifi‐
135 cation, which is handy if the gateway router is already dropping
136 packets that fail their IP checksum checks. Notcp turns off TCP
137 checksum verification, all other checksum modes are on. noudp
138 turns off UDP checksum verification. Noicmp turns off ICMP
139 checksum verification. None turns off the entire checksum veri‐
140 fication subsystem.
141 -K logging-mode
143 Select a packet logging mode. The default is pcap. logging-
144 mode. Valid logging modes include pcap, ascii, and none. Pcap
145 logs packets through the pcap library into pcap (tcpdump) for‐
146 mat. Ascii logs packets in the old "directories and files" for‐
147 mat with packet printouts in each file. None Turns off packet
148 logging.
149 -l log-dir
151 Set the output logging directory to log-dir. All plain text
152 alerts and packet logs go into this directory. If this option
153 is not specified, the default logging directory is set to
154 /var/log/snort.
155 -L binary-log-file
157 Set the filename of the binary log file to binary-log-file. If
158 this switch is not used, the default name is a timestamp for the
159 time that the file is created plus "snort.log".
160 -m umask
162 Set the file mode creation mask to umask
163 -M Log console messages to syslog when not running daemon mode.
165 This switch has no impact on logging of alerts.
166 -n packet-count
168 Process packet-count packets and exit.
169 -N Turn off packet logging. The program still generates alerts
171 normally.
172 -o Change the order in which the rules are applied to packets.
174 Instead of being applied in the standard Alert->Pass->Log order,
175 this will apply them in Pass->Alert->Log order.
176 -O Obfuscate the IP addresses when in ASCII packet dump mode. This
178 switch changes the IP addresses that get printed to the
179 screen/log file to "xxx.xxx.xxx.xxx". If the homenet address
180 switch is set (-h), only addresses on the homenet will be obfus‐
181 cated while non- homenet IPs will be left visible. Perfect for
182 posting to your favorite security mailing list!
183 -p Turn off promiscuous mode sniffing.
185 -P snap-length
187 Set the packet snaplen to snap-length
188 -q Quiet operation. Don't display banner and initialization infor‐
190 mation.
191 -Q Read packets from iptables/IPQ (Linux only) when running in-line
193 mode.
194 -r tcpdump-file
196 Read the tcpdump-formatted file tcpdump-file. This will cause
197 Snort to read and process the file fed to it. This is useful
198 if, for instance, you've got a bunch of SHADOW files that you
199 want to process for content, or even if you've got a bunch of
200 reassembled packet fragments which have been written into a tcp‐
201 dump formatted file.
202 -R name
204 Use name as a suffix to the snort pidfile.
205 -s Send alert messages to syslog. On linux boxen, they will appear
207 in /var/log/secure, /var/log/messages on many other platforms.
208 -S variable=value
210 Set variable name "variable" to value "value". This is useful
211 for setting the value of a defined variable name in a Snort
212 rules file to a command line specified value. For instance, if
213 you define a HOME_NET variable name inside of a Snort rules
214 file, you can set this value from it's predefined value at the
215 command line.
216 -t chroot
218 Changes Snort's root directory to chroot after initialization.
219 Please note that all log/alert filenames are relative to the
220 chroot directory if chroot is used.
221 -T Snort will start up in self-test mode, checking all the supplied
223 command line switches and rules files that are handed to it and
224 indicating that everything is ready to proceed. This is a good
225 switch to use if daemon mode is going to be used, it verifies
226 that the Snort configuration that is about to be used is valid
227 and won't fail at run time. Note, Snort looks for either
228 /etc/snort.conf or ./snort.conf. If your config lives else‐
229 where, use the -c option to specify a valid config-file.
230 -u user
232 Change the user/UID Snort runs under to user after initializa‐
233 tion.
234 -U Changes the timestamp in all logs to be in UTC
236 -v Be verbose. Prints packets out to the console. There is one
238 big problem with verbose mode: it's slow. If you are doing IDS
239 work with Snort, don't use the '-v' switch, you WILL drop pack‐
240 ets.
241 -V Show the version number and exit.
243 -w Show management frames if runnong on an 802.11 (wireless) net‐
245 work.
246 -W *WIN32 ONLY* Enumerate the network interfaces available.
248 -X Dump the raw packet data starting at the link layer. This
250 switch overrides the '-d' switch.
251 -y Include the year in alert and log files
253 -Z pathname
255 Set the perfmonitor preprocessor path/filename to pathname.
256 -? Show the program usage statement and exit.
258 --logid id
260 Same as -G.
261 --perfmon-file pathname
263 Same as -Z.
264 --pid-path pathname
266 Specify the pathname for the Snort PID file.
267 --snaplen snap-length
269 Same as -P.
270 --help Same as -?
272 --version
274 Same as -V
275 --dynamic-engine-lib file
277 Load a dynamic detection engine shared library specified by
278 file.
279 --dynamic-engine-lib-dir directory
281 Load all dynamic detection engine shared libraries specified
282 from directory.
283 --dynamic-detection-lib file
285 Load a dynamic detection rules shared library specified by file.
286 --dynamic-detection-lib-dir directory
288 Load all dynamic detection rules shared libraries specified from
289 directory.
290 --dump-dynamic-rules directory
292 Create stub rule files from all loaded dynamic detection rules
293 libraries. Files will be created in directory. This is
294 required to be done prior to running snort using those detection
295 rules and the generated rules files must be included in
296 snort.conf.
297 --dynamic-preprocessor-lib file
299 Load a dynamic preprocessor shared library specified by file.
300 --dynamic-preprocessor-lib-dir directory
302 Load all dynamic preprocessor shared libraries specified from
303 directory.
304 --dump-dynamic-preproc-genmsg directory
306 Create gen-msg.map files from all loaded dynamic preprocessor
307 libraries. Files will be created in directory.
308 --alert-before-pass
310 Process alert, drop, sdrop, or reject before pass. Default is
311 pass before alert, drop, etc.
312 --treat-drop-as-alert
314 Converts drop, sdrop, and reject rules into alert rules during
315 startup.
316 --process-all-events
318 Process all triggered events in group order, per Rule Ordering
319 configuration. Default stops after first group.
320 --pid-path directory
322 Specify the path for Snort's PID file.
323 --create-pidfile
325 Create PID file, even when not in Daemon mode.
326 --nolock-pidfile
328 Do not try to lock Snort PID file.
329 --disable-inline-initialization
331 Do not initialize IPTables when in inline mode. To be used with
332 -T to test for a valid configuration without requiring opening
333 inline devices and adversely affecting traffic flow.
334 --pcap-single=tcpdump-file
336 Same as -r. Added for completeness.
337 --pcap-filter=filter
339 Shell style filter to apply when getting pcaps from file or
340 directory. This filter will apply to any --pcap-file or --pcap-
341 dir arguments following. Use --pcap-no-filter to delete filter
342 for following --pcap-file or --pcap-dir arguments or specifiy
343 --pcap-filter again to forget previous filter and to apply to
344 following --pcap-file or --pcap-dir arguments.
345 --pcap-list="list"
347 A space separated list of pcaps to read.
348 --pcap-dir=directory
350 A directory to recurse to look for pcaps. Sorted in ascii
351 order.
352 --pcap-file=file
354 File that contains a list of pcaps to read. Can specifiy path
355 to pcap or directory to recurse to get pcaps.
356 --pcap-no-filter
358 Reset to use no filter when getting pcaps from file or direc‐
359 tory.
360 --pcap-reset
362 If reading multiple pcaps, reset snort to post-configuration
363 state before reading next pcap. The default, i.e. without this
364 option, is not to reset state.
365 --pcap-show
367 Print a line saying what pcap is currently being read.
368 expression
371 selects which packets will be dumped. If no expression is
372 given, all packets on the net will be dumped. Otherwise, only
373 packets for which expression is `true' will be dumped.
374 The expression consists of one or more primitives. Primitives
376 usually consist of an id (name or number) preceded by one or
377 more qualifiers. There are three different kinds of qualifier:
378 type qualifiers say what kind of thing the id name or number
380 refers to. Possible types are host, net and port. E.g.,
381 `host foo', `net 128.3', `port 20'. If there is no type
382 qualifier, host is assumed.
383 dir qualifiers specify a particular transfer direction to
385 and/or from id. Possible directions are src, dst, src or
386 dst and src and dst. E.g., `src foo', `dst net 128.3',
387 `src or dst port ftp-data'. If there is no dir quali‐
388 fier, src or dst is assumed. For `null' link layers
389 (i.e. point to point protocols such as slip) the inbound
390 and outbound qualifiers can be used to specify a desired
391 direction.
392 proto qualifiers restrict the match to a particular protocol.
394 Possible protos are: ether, fddi, ip, arp, rarp, decnet,
395 lat, sca, moprc, mopdl, tcp and udp. E.g., `ether src
396 foo', `arp net 128.3', `tcp port 21'. If there is no
397 proto qualifier, all protocols consistent with the type
398 are assumed. E.g., `src foo' means `(ip or arp or rarp)
399 src foo' (except the latter is not legal syntax), `net
400 bar' means `(ip or arp or rarp) net bar' and `port 53'
401 means `(tcp or udp) port 53'.
402 [`fddi' is actually an alias for `ether'; the parser treats them
404 identically as meaning ``the data link level used on the speci‐
405 fied network interface.'' FDDI headers contain Ethernet-like
406 source and destination addresses, and often contain Ethernet-
407 like packet types, so you can filter on these FDDI fields just
408 as with the analogous Ethernet fields. FDDI headers also con‐
409 tain other fields, but you cannot name them explicitly in a fil‐
410 ter expression.]
411 In addition to the above, there are some special `primitive'
413 keywords that don't follow the pattern: gateway, broadcast,
414 less, greater and arithmetic expressions. All of these are
415 described below.
416 More complex filter expressions are built up by using the words
418 and, or and not to combine primitives. E.g., `host foo and not
419 port ftp and not port ftp-data'. To save typing, identical
420 qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-
421 data or domain' is exactly the same as `tcp dst port ftp or tcp
422 dst port ftp-data or tcp dst port domain'.
423 Allowable primitives are:
425 dst host host
427 True if the IP destination field of the packet is host,
428 which may be either an address or a name.
429 src host host
431 True if the IP source field of the packet is host.
432 host host
434 True if either the IP source or destination of the packet
435 is host. Any of the above host expressions can be
436 prepended with the keywords, ip, arp, or rarp as in:
437 ip host host
438 which is equivalent to:
439 ether proto \ip and host host
440 If host is a name with multiple IP addresses, each
441 address will be checked for a match.
442 ether dst ehost
444 True if the ethernet destination address is ehost. Ehost
445 may be either a name from /etc/ethers or a number (see
446 ethers(3N) for numeric format).
447 ether src ehost
449 True if the ethernet source address is ehost.
450 ether host ehost
452 True if either the ethernet source or destination address
453 is ehost.
454 gateway host
456 True if the packet used host as a gateway. I.e., the
457 ethernet source or destination address was host but nei‐
458 ther the IP source nor the IP destination was host. Host
459 must be a name and must be found in both /etc/hosts and
460 /etc/ethers. (An equivalent expression is
461 ether host ehost and not host host
462 which can be used with either names or numbers for host /
463 ehost.)
464 dst net net
466 True if the IP destination address of the packet has a
467 network number of net. Net may be either a name from
468 /etc/networks or a network number (see networks(4) for
469 details).
470 src net net
472 True if the IP source address of the packet has a network
473 number of net.
474 net net
476 True if either the IP source or destination address of
477 the packet has a network number of net.
478 net net mask mask
480 True if the IP address matches net with the specific net‐
481 mask. May be qualified with src or dst.
482 net net/len
484 True if the IP address matches net a netmask len bits
485 wide. May be qualified with src or dst.
486 dst port port
488 True if the packet is ip/tcp or ip/udp and has a destina‐
489 tion port value of port. The port can be a number or a
490 name used in /etc/services (see tcp(4P) and udp(4P)). If
491 a name is used, both the port number and protocol are
492 checked. If a number or ambiguous name is used, only the
493 port number is checked (e.g., dst port 513 will print
494 both tcp/login traffic and udp/who traffic, and port
495 domain will print both tcp/domain and udp/domain traf‐
496 fic).
497 src port port
499 True if the packet has a source port value of port.
500 port port
502 True if either the source or destination port of the
503 packet is port. Any of the above port expressions can be
504 prepended with the keywords, tcp or udp, as in:
505 tcp src port port
506 which matches only tcp packets whose source port is port.
507 less length
509 True if the packet has a length less than or equal to
510 length. This is equivalent to:
511 len <= length.
512 greater length
514 True if the packet has a length greater than or equal to
515 length. This is equivalent to:
516 len >= length.
517 ip proto protocol
519 True if the packet is an ip packet (see ip(4P)) of proto‐
520 col type protocol. Protocol can be a number or one of
521 the names icmp, igrp, udp, nd, or tcp. Note that the
522 identifiers tcp, udp, and icmp are also keywords and must
523 be escaped via backslash (\), which is \\ in the C-shell.
524 ether broadcast
526 True if the packet is an ethernet broadcast packet. The
527 ether keyword is optional.
528 ip broadcast
530 True if the packet is an IP broadcast packet. It checks
531 for both the all-zeroes and all-ones broadcast conven‐
532 tions, and looks up the local subnet mask.
533 ether multicast
535 True if the packet is an ethernet multicast packet. The
536 ether keyword is optional. This is shorthand for
537 `ether[0] & 1 != 0'.
538 ip multicast
540 True if the packet is an IP multicast packet.
541 ether proto protocol
543 True if the packet is of ether type protocol. Protocol
544 can be a number or a name like ip, arp, or rarp. Note
545 these identifiers are also keywords and must be escaped
546 via backslash (\). [In the case of FDDI (e.g., `fddi
547 protocol arp'), the protocol identification comes from
548 the 802.2 Logical Link Control (LLC) header, which is
549 usually layered on top of the FDDI header. Tcpdump
550 assumes, when filtering on the protocol identifier, that
551 all FDDI packets include an LLC header, and that the LLC
552 header is in so-called SNAP format.]
553 decnet src host
555 True if the DECNET source address is host, which may be
556 an address of the form ``10.123'', or a DECNET host name.
557 [DECNET host name support is only available on Ultrix
558 systems that are configured to run DECNET.]
559 decnet dst host
561 True if the DECNET destination address is host.
562 decnet host host
564 True if either the DECNET source or destination address
565 is host.
566 ip, arp, rarp, decnet
568 Abbreviations for:
569 ether proto p
570 where p is one of the above protocols.
571 lat, moprc, mopdl
573 Abbreviations for:
574 ether proto p
575 where p is one of the above protocols. Note that Snort
576 does not currently know how to parse these protocols.
577 tcp, udp, icmp
579 Abbreviations for:
580 ip proto p
581 where p is one of the above protocols.
582 expr relop expr
584 True if the relation holds, where relop is one of >, <,
585 >=, <=, =, !=, and expr is an arithmetic expression com‐
586 posed of integer constants (expressed in standard C syn‐
587 tax), the normal binary operators [+, -, *, /, &, |], a
588 length operator, and special packet data accessors. To
589 access data inside the packet, use the following syntax:
590 proto [ expr : size ]
591 Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or
592 icmp, and indicates the protocol layer for the index
593 operation. The byte offset, relative to the indicated
594 protocol layer, is given by expr. Size is optional and
595 indicates the number of bytes in the field of interest;
596 it can be either one, two, or four, and defaults to one.
597 The length operator, indicated by the keyword len, gives
598 the length of the packet.
599 For example, `ether[0] & 1 != 0' catches all multicast
601 traffic. The expression `ip[0] & 0xf != 5' catches all
602 IP packets with options. The expression `ip[6:2] & 0x1fff
603 = 0' catches only unfragmented datagrams and frag zero of
604 fragmented datagrams. This check is implicitly applied
605 to the tcp and udp index operations. For instance,
606 tcp[0] always means the first byte of the TCP header, and
607 never means the first byte of an intervening fragment.
608 Primitives may be combined using:
610 A parenthesized group of primitives and operators (paren‐
612 theses are special to the Shell and must be escaped).
613 Negation (`!' or `not').
615 Concatenation (`&&' or `and').
617 Alternation (`||' or `or').
619 Negation has highest precedence. Alternation and concatenation
621 have equal precedence and associate left to right. Note that
622 explicit and tokens, not juxtaposition, are now required for
623 concatenation.
624 If an identifier is given without a keyword, the most recent
626 keyword is assumed. For example,
627 not host vs and ace
628 is short for
629 not host vs and host ace
630 which should not be confused with
631 not ( host vs or ace )
632 Expression arguments can be passed to Snort as either a single
634 argument or as multiple arguments, whichever is more convenient.
635 Generally, if the expression contains Shell metacharacters, it
636 is easier to pass it as a single, quoted argument. Multiple
637 arguments are concatenated with spaces before being parsed.
638
640 Instead of having Snort listen on an interface, you can give it a
641 packet capture to read. Snort will read and analyze the packets as if
642 they came off the wire. This can be useful for testing and debugging
643 Snort.
644 Read a single pcap
646 $ snort -r foo.pcap
648 $ snort --pcap-single=foo.pcap
649 Read pcaps from a file
651 $ cat foo.txt
653 foo1.pcap
654 foo2.pcap
655 /home/foo/pcaps
656 $ snort --pcap-file=foo.txt
658 This will read foo1.pcap, foo2.pcap and all files under
660 /home/foo/pcaps. Note that Snort will not try to determine
661 whether the files under that directory are really pcap files or
662 not.
663 Read pcaps from a command line list
665 $ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap"
667 This will read foo1.pcap, foo2.pcap and foo3.pcap.
669 Read pcaps under a directory
671 $ snort --pcap-dir="/home/foo/pcaps"
673 This will include all of the files under /home/foo/pcaps.
675 Using filters
677 $ cat foo.txt
679 foo1.pcap
680 foo2.pcap
681 /home/foo/pcaps
682 $ snort --pcap-filter="*.pcap" --pcap-file=foo.txt
684 $ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps
685 The above will only include files that match the shell pattern
687 "*.pcap", in other words, any file ending in ".pcap".
688 $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
690 > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps
691 In the above, the first filter "*.pcap" will only be applied to
693 the pcaps in the file "foo.txt" (and any directories that are
694 recursed in that file). The addition of the second filter "*.cap"
695 will cause the first filter to be forgotten and then applied to
696 the directory /home/foo/pcaps, so only files ending in ".cap" will
697 be included from that directory.
698 $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
700 > --pcap-no-filter --pcap-dir=/home/foo/pcaps
701 In this example, the first filter will be applied to foo.txt, then
703 no filter will be applied to the files found under
704 /home/foo/pcaps, so all files found under /home/foo/pcaps will be
705 included.
706 $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
708 > --pcap-no-filter --pcap-dir=/home/foo/pcaps \
709 > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2
710 In this example, the first filter will be applied to foo.txt, then
712 no filter will be applied to the files found under
713 /home/foo/pcaps, so all files found under /home/foo/pcaps will be
714 included, then the filter "*.cap" will be applied to files found
715 under /home/foo/pcaps2.
716 Resetting state
718 $ snort --pcap-dir=/home/foo/pcaps --pcap-reset
720 The above example will read all of the files under
722 /home/foo/pcaps, but after each pcap is read, Snort will be reset
723 to a post-configuration state, meaning all buffers will be
724 flushed, statistics reset, etc. For each pcap, it will be like
725 Snort is seeing traffic for the first time.
726 Printing the pcap
728 $ snort --pcap-dir=/home/foo/pcaps --pcap-show
730 The above example will read all of the files under /home/foo/pcaps
732 and will print a line indicating which pcap is currently being
733 read.
734
736 Snort uses a simple but flexible rules language to describe network
737 packet signatures and associate them with actions. The current rules
738 document can be found at http://www.snort.org/snort_rules.html.
739
741 The following signals have the specified effect when sent to the daemon
742 process using the kill(1) command:
743 SIGHUP Causes the daemon to close all opened files and restart. Please
745 note that this will only work if the full pathname is used to
746 invoke snort in daemon mode, otherwise snort will just exit with
747 an error message being sent to syslogd(8)
748 SIGUSR1
750 Causes the program to dump its current packet statistical infor‐
751 mation to the console or syslogd(8) if in daemon mode.
752 Any other signal causes the daemon to close all opened files and exit.
754
757 Snort has been freely available under the GPL license since 1998.
758
760 Snort returns a 0 on a successful exit, 1 if it exits on an error.
761
763 After consulting the BUGS file included with the source distribution,
764 send bug reports to snort-devel@lists.sourceforge.net
765
767 Martin Roesch <roesch@snort.org>
768
770 tcpdump(1), pcap(3)
771 February 2008 SNORT(8)