listing for S
Snort - open source network intrusion detection system
snort [-bCdDeEfIMNoOpqQsTUvVwWXy?] [-A alert-mode ] [-B address-
conversion-mask ] [-c rules-file ] [-F bpf-file ] [-g grpname ] [-G id ]
[-h home-net ] [-i interface ] [-J port ] [-k checksum-mode ] [-K logging-
mode ] [-l log-dir ] [-L bin-log-file ] [-m umask ] [-n packet-count ] [-P
snap-length ] [-r tcpdump-file ] [-R name ] [-S variable=value ] [-t
chroot_directory ] [-u usrname ] [-Z pathname ] [--logid id ] [--perfmon-
file pathname ] [--pid-path pathname ] [--snaplen snap-length ] [--help ]
[--dynamic-engine-lib file ] [--dynamic-engine-lib-dir directory ] [--
dynamic-detection-lib file ] [--dynamic-detection-lib-dir directory ] [--
dump-dynamic-rules directory ] [--dynamic-preprocessor-lib file ] [--
dynamic-preprocessor-lib-dir directory ] [--dump-dynamic-preproc-genmsg
directory ] [--alert-before-pass ] [--treat-drop-as-alert ] [--process-
all-events ] [--pid-path directory ] [--create-pidfile ] [--nolock-pidfile
] [--disable-inline-initialization ] ] expression
Snort is an open source network intrusion detection system, capable of
performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be
used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
and much more. Snort uses a flexible rules language to describe traffic
that it should collect or pass, as well as a detection engine that utilizes
a modular plugin architecture. Snort also has a modular real-time alerting
capability, incorporating alerting and logging plugins for syslog, a ASCII
text files, UNIX sockets, database (Mysql/PostgreSQL/Oracle/ODBC) or XML.
Snort has three primary uses. It can be used as a straight packet sniffer
like tcpdump(1), a packet logger (useful for network traffic debugging,
etc), or as a full blown network intrusion detection system.
Snort logs packets in tcpdump(1) binary format, to a database or in Snort's
decoded ASCII format to a hierarchy of logging directories that are named
based on the IP address of the "foreign" host.
Alert using the specified alert-mode. Valid alert modes include fast,
full, none, and unsock. Fast writes alerts to the default "alert" file
in a single-line, syslog style alert message. Full writes the alert to
the "alert" file with the full decoded header as well as the alert
message. None turns off alerting. Unsock is an experimental mode that
sends the alert information out over a UNIX socket to another process
that attaches to that socket.
-b Log packets in a tcpdump(1) formatted file. All packets are logged
in their native binary state to a tcpdump formatted log file named
with the snort start timestamp and "snort.log". This option results
in much faster operation of the program
since it doesn't have to spend time in the packet binary->text
converters. Snort can keep up pretty well with 100Mbps networks in
'-b' mode. To choose an alternate name for the binary log file, use
the '-L' switch.
Convert all IP addresses in home-net to addresses specified by
address-conversion-mask. Used to obfuscate IP addresses within binary
logs. Specify home-net with the '-h' switch. Note this is not the
same as $HOME_NET.
Use the rules located in file config-file.
-C Print the character data from the packet payload only (no hex).
-d Dump the application layer data when displaying packets in verbose or
packet logging mode.
-D Run Snort in daemon mode. Alerts are sent to /var/log/snort/alert
unless otherwise specified.
-e Display/log the link layer packet headers.
-E *WIN32 ONLY* Log alerts to the Windows Event Log.
-f Activate PCAP line buffering
Read BPF filters from bpf-file. This is handy for people running Snort
as a SHADOW replacement or with a love Of super complex BPF filters.
See the "expressions" section of this man page for more info on
writing BPF fileters.
Change the group/GID Snort runs under to group after initialization.
This switch allows Snort to drop root priveleges after it's
initialization phase has completed as a security measure.
Use id as a base event ID when logging events. Useful for
distinguishing events logged to the same database from multiple snort
Set the "home network" to home-net. The format of this address
variable is a network prefix plus a CIDR block, such as
192.168.1.0/24. Once this variable is set, all decoded packet logging
will be done relative to the home network address space. This is
useful because of the way that Snort formats its ASCII log data. With
this value set to the local network, all decoded output will be logged
into decode directories with the address of the foreign computer as
the directory name, which is very useful during traffic analysis.
Sniff packets on interface.
-I Print out the receiving interface name in alerts.
Use port to read packets when running inline mode on system with
Tune the internal checksum verification functionality with alert-mode.
Valid checksum modes include all, noip, notcp, noudp, noicmp, and
none. All activates checksum verification for all supported protocols.
Noip turns off IP checksum verification, which is handy if the gateway
router is already dropping packets that fail their IP checksum checks.
Notcp turns off TCP checksum verification, all other checksum modes
are on. noudp turns off UDP checksum verification. Noicmp turns off
ICMP checksum verification. None turns off the entire checksum
Select a packet logging mode. The default is pcap. logging-mode.
Valid logging modes include pcap, ascii, and none. Pcap logs packets
through the pcap library into pcap (tcpdump) format. Ascii logs
packets in the old "directories and files" format with packet
printouts in each file. None Turns off packet logging.
Set the output logging directory to log-dir. All plain text alerts and
packet logs go into this directory. If this option is not specified,
the default logging directory is set to /var/log/snort.
Set the filename of the binary log file to binary-log-file. If this
switch is not used, the default name is a timestamp for the time that
the file is created plus "snort.log".
Set the file mode creation mask to umask
-M Log console messages to syslog when not running daemon mode. This
switch has no impact on logging of alerts.
Process packet-count packets and exit.
-N Turn off packet logging. The program still generates alerts normally.
-o Change the order in which the rules are applied to packets. Instead
of being applied in the standard Alert->Pass->Log order, this will
apply them in Pass->Alert->Log order.
-O Obfuscate the IP addresses when in ASCII packet dump mode. This
switch changes the IP addresses that get printed to the screen/log
file to "xxx.xxx.xxx.xxx". If the homenet address switch is set (-h),
only addresses on the homenet will be obfuscated while non- homenet
IPs will be left visible. Perfect for posting to your favorite
security mailing list!
-p Turn off promiscuous mode sniffing.
Set the packet snaplen to snap-length
-q Quiet operation. Don't display banner and initialization information.
-Q Read packets from iptables/IPQ (Linux only) when running in-line mode.
Read the tcpdump-formatted file tcpdump-file. This will cause Snort to
read and process the file fed to it. This is useful if, for instance,
you've got a bunch of SHADOW files that you want to process for
content, or even if you've got a bunch of reassembled packet fragments
which have been written into a tcpdump formatted file.
Use name as a suffix to the snort pidfile.
-s Send alert messages to syslog. On linux boxen, they will appear in
/var/log/secure, /var/log/messages on many other platforms.
Set variable name "variable" to value "value". This is useful for
setting the value of a defined variable name in a Snort rules file to
a command line specified value. For instance, if you define a
HOME_NET variable name inside of a Snort rules file, you can set this
value from it's predefined value at the command line.
Changes Snort's root directory to chroot after initialization. Please
note that all log/alert filenames are relative to the chroot directory
if chroot is used.
-T Snort will start up in self-test mode, checking all the supplied
command line switches and rules files that are handed to it and
indicating that everything is ready to proceed. This is a good switch
to use if daemon mode is going to be used, it verifies that the Snort
configuration that is about to be used is valid and won't fail at run
time. Note, Snort looks for either /etc/snort.conf or ./snort.conf. If
your config lives elsewhere, use the -c option to specify a valid
Change the user/UID Snort runs under to user after initialization.
-U Changes the timestamp in all logs to be in UTC
-v Be verbose. Prints packets out to the console. There is one big
problem with verbose mode: it's slow. If you are doing IDS work with
Snort, don't use the '-v' switch, you WILL drop packets.
-V Show the version number and exit.
-w Show management frames if runnong on an 802.11 (wireless) network.
-W *WIN32 ONLY* Enumerate the network interfaces available.
-X Dump the raw packet data starting at the link layer. This switch
-y Include the year in alert and log files
Set the perfmonitor preprocessor path/filename to pathname.
-? Show the program usage statement and exit.
Same as -G.
Same as -Z.
Specify the pathname for the Snort PID file.
Same as -P.
Same as -?
Load a dynamic detection engine shared library specified by file.
Load all dynamic detection engine shared libraries specified from
Load a dynamic detection rules shared library specified by file.
Load all dynamic detection rules shared libraries specified from
Create stub rule files from all loaded dynamic detection rules
libraries. Files will be created in directory. This is required to
be done prior to running snort using those detection rules and the
generated rules files must be included in snort.conf.
Load a dynamic preprocessor shared library specified by file.
Load all dynamic preprocessor shared libraries specified from
Create gen-msg.map files from all loaded dynamic preprocessor
libraries. Files will be created in directory.
Process alert, drop, sdrop, or reject before pass. Default is pass
before alert, drop, etc.
Converts drop, sdrop, and reject rules into alert rules during
Process all triggered events in group order, per Rule Ordering
configuration. Default stops after first group.
Specify the path for Snort's PID file.
Create PID file, even when not in Daemon mode.
Do not try to lock Snort PID file.
Do not initialize IPTables when in inline mode. To be used with -T to
test for a valid configuration without requiring opening inline
devices and adversely affecting traffic flow.
selects which packets will be dumped. If no expression is given, all
packets on the net will be dumped. Otherwise, only packets for which
expression is `true' will be dumped.
The expression consists of one or more primitives. Primitives usually
consist of an id (name or number) preceded by one or more qualifiers.
There are three different kinds of qualifier:
type qualifiers say what kind of thing the id name or number refers
to. Possible types are host, net and port. E.g., `host foo',
`net 128.3', `port 20'. If there is no type qualifier, host is
dir qualifiers specify a particular transfer direction to and/or from
id. Possible directions are src, dst, src or dst and src and dst.
E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If
there is no dir qualifier, src or dst is assumed. For `null'
link layers (i.e. point to point protocols such as slip) the
inbound and outbound qualifiers can be used to specify a desired
qualifiers restrict the match to a particular protocol. Possible
protos are: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc,
mopdl, tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp
port 21'. If there is no proto qualifier, all protocols
consistent with the type are assumed. E.g., `src foo' means `(ip
or arp or rarp) src foo' (except the latter is not legal syntax),
`net bar' means `(ip or arp or rarp) net bar' and `port 53' means
`(tcp or udp) port 53'.
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified
network interface.'' FDDI headers contain Ethernet-like source and
destination addresses, and often contain Ethernet-like packet types,
so you can filter on these FDDI fields just as with the analogous
Ethernet fields. FDDI headers also contain other fields, but you
cannot name them explicitly in a filter expression.]
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern: gateway, broadcast, less, greater and
arithmetic expressions. All of these are described below.
More complex filter expressions are built up by using the words and,
or and not to combine primitives. E.g., `host foo and not port ftp
and not port ftp-data'. To save typing, identical qualifier lists can
be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly
the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port
Allowable primitives are:
dst host host
True if the IP destination field of the packet is host, which may
be either an address or a name.
src host host
True if the IP source field of the packet is host.
True if either the IP source or destination of the packet is
host. Any of the above host expressions can be prepended with
the keywords, ip, arp, or rarp as in:
ip host host
which is equivalent to:
ether proto \ip and host host
If host is a name with multiple IP addresses, each address will
be checked for a match.
ether dst ehost
True if the ethernet destination address is ehost. Ehost may be
either a name from /etc/ethers or a number (see ethers(3N) for
ether src ehost
True if the ethernet source address is ehost.
ether host ehost
True if either the ethernet source or destination address is
True if the packet used host as a gateway. I.e., the ethernet
source or destination address was host but neither the IP source
nor the IP destination was host. Host must be a name and must be
found in both /etc/hosts and /etc/ethers. (An equivalent
ether host ehost and not host host
which can be used with either names or numbers for host / ehost.)
dst net net
True if the IP destination address of the packet has a network
number of net. Net may be either a name from /etc/networks or a
network number (see networks(4) for details).
src net net
True if the IP source address of the packet has a network number
True if either the IP source or destination address of the packet
has a network number of net.
net net mask mask
True if the IP address matches net with the specific netmask.
May be qualified with src or dst.
True if the IP address matches net a netmask len bits wide. May
be qualified with src or dst.
dst port port
True if the packet is ip/tcp or ip/udp and has a destination port
value of port. The port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If a name is used, both
the port number and protocol are checked. If a number or
ambiguous name is used, only the port number is checked (e.g.,
dst port 513 will print both tcp/login traffic and udp/who
traffic, and port domain will print both tcp/domain and
src port port
True if the packet has a source port value of port.
True if either the source or destination port of the packet is
port. Any of the above port expressions can be prepended with
the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source port is port.
True if the packet has a length less than or equal to length.
This is equivalent to:
len <= length.
True if the packet has a length greater than or equal to length.
This is equivalent to:
len >= length.
ip proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type
protocol. Protocol can be a number or one of the names icmp,
igrp, udp, nd, or tcp. Note that the identifiers tcp, udp, and
icmp are also keywords and must be escaped via backslash (\),
which is \\ in the C-shell.
True if the packet is an ethernet broadcast packet. The ether
keyword is optional.
True if the packet is an IP broadcast packet. It checks for both
the all-zeroes and all-ones broadcast conventions, and looks up
the local subnet mask.
True if the packet is an ethernet multicast packet. The ether
keyword is optional. This is shorthand for `ether & 1 != 0'.
True if the packet is an IP multicast packet.
ether proto protocol
True if the packet is of ether type protocol. Protocol can be a
number or a name like ip, arp, or rarp. Note these identifiers
are also keywords and must be escaped via backslash (\). [In the
case of FDDI (e.g., `fddi protocol arp'), the protocol
identification comes from the 802.2 Logical Link Control (LLC)
header, which is usually layered on top of the FDDI header.
Tcpdump assumes, when filtering on the protocol identifier, that
all FDDI packets include an LLC header, and that the LLC header
is in so-called SNAP format.]
decnet src host
True if the DECNET source address is host, which may be an
address of the form ``10.123'', or a DECNET host name. [DECNET
host name support is only available on Ultrix systems that are
configured to run DECNET.]
decnet dst host
True if the DECNET destination address is host.
decnet host host
True if either the DECNET source or destination address is host.
ip, arp, rarp, decnet
ether proto p
where p is one of the above protocols.
lat, moprc, mopdl
ether proto p
where p is one of the above protocols. Note that Snort does not
currently know how to parse these protocols.
tcp, udp, icmp
ip proto p
where p is one of the above protocols.
expr relop expr
True if the relation holds, where relop is one of >, <, >=, <=,
=, !=, and expr is an arithmetic expression composed of integer
constants (expressed in standard C syntax), the normal binary
operators [+, -, *, /, &, |], a length operator, and special
packet data accessors. To access data inside the packet, use the
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp,
and indicates the protocol layer for the index operation. The
byte offset, relative to the indicated protocol layer, is given
by expr. Size is optional and indicates the number of bytes in
the field of interest; it can be either one, two, or four, and
defaults to one. The length operator, indicated by the keyword
len, gives the length of the packet.
For example, `ether & 1 != 0' catches all multicast traffic.
The expression `ip & 0xf != 5' catches all IP packets with
options. The expression `ip[6:2] & 0x1fff = 0' catches only
unfragmented datagrams and frag zero of fragmented datagrams.
This check is implicitly applied to the tcp and udp index
operations. For instance, tcp always means the first byte of
the TCP header, and never means the first byte of an intervening
Primitives may be combined using:
A parenthesized group of primitives and operators (parentheses
are special to the Shell and must be escaped).
Negation (`!' or `not').
Concatenation (`&&' or `and').
Alternation (`||' or `or').
Negation has highest precedence. Alternation and concatenation have
equal precedence and associate left to right. Note that explicit and
tokens, not juxtaposition, are now required for concatenation.
If an identifier is given without a keyword, the most recent keyword
is assumed. For example,
not host vs and ace
is short for
not host vs and host ace
which should not be confused with
not ( host vs or ace )
Expression arguments can be passed to Snort as either a single
argument or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument. Multiple arguments
are concatenated with spaces before being parsed.
Snort uses a simple but flexible rules language to describe network packet
signatures and associate them with actions. The current rules document can
be found at http://www.snort.org/snort_rules.html.
The following signals have the specified effect when sent to the daemon
process using the kill(1) command:
Causes the daemon to close all opened files and restart. Please note
that this will only work if the full pathname is used to invoke snort
in daemon mode, otherwise snort will just exit with an error message
being sent to syslogd(8)
Causes the program to dump its current packet statistical information
to the cosole or syslogd(8) if in daemon mode.
Any other signal causes the daemon to close all opened files and exit.
Snort has been freely available under the GPL license since 1998.
Snort returns a 0 on a successful exit, 1 if it exits on an error.
After consulting the BUGS file included with the source distribution, send
bug reports to firstname.lastname@example.org
Martin Roesch <email@example.com>
listing for S