SNORT(8)SNORT(8)NAME
Snort - open source network intrusion detection system
SYNOPSISsnort [-abCdDeGINoOpqsTUvVxXyz?] [-A alert-mode ] [-B
address-conversion-mask ] [-c rules-file ] [-F bpf-file ]
[-g grpname ] [-h home-net ] [-i interface ] [-k checksum-
mode ] [-l log-dir ] [-L bin-log-file ] [-m umask ] [-M
smb-hosts-file ] [-n packet-count ] [-P snap-length ] [-r
tcpdump-file ] [-S variable=value ] [-t chroot_directory ]
[-u usrname ] expression
DESCRIPTION
Snort is an open source network intrusion detection sys-
tem, capable of performing real-time traffic analysis and
packet logging on IP networks. It can perform protocol
analysis, content searching/matching and can be used to
detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more. Snort uses a
flexible rules language to describe traffic that it should
collect or pass, as well as a detection engine that uti-
lizes a modular plugin architecture. Snort also has a
modular real-time alerting capability, incorporating
alerting and logging plugins for syslog, a ASCII text
files, UNIX sockets, WinPopup messages to Windows clients
using Samba's smbclient, database (Mysql/PostgreSQL/Ora-
cle/ODBC) or XML.
Snort has three primary uses. It can be used as a
straight packet sniffer like tcpdump(1), a packet logger
(useful for network traffic debugging, etc), or as a full
blown network intrusion detection system.
Snort logs packets in tcpdump(1) binary format, to a
database or in Snort's decoded ASCII format to a hierarchy
of logging directories that are named based on the IP
address of the "foreign" host.
OPTIONS-A alert-mode
Alert using the specified alert-mode. Valid alert
modes include fast, full, none, and unsock. Fast
writes alerts to the default "alert" file in a sin-
gle-line, syslog style alert message. Full writes
the alert to the "alert" file with the full decoded
header as well as the alert message. None turns
off alerting. Unsock is an experimental mode that
sends the alert information out over a UNIX socket
to another process that attaches to that socket.
-a Display ARP packets when decoding packets.
-b Log packets in a tcpdump(1) formatted file. All
packets are logged in their native binary state to
a tcpdump formatted log file named with the snort
start timestamp and "snort.log". This option
results in much faster operation of the program
since it doesn't have to spend time in the packet
binary->text converters. Snort can keep up pretty
well with 100Mbps networks in '-b' mode. To choose
an alternate name for the binary log file, use the
'-L' switch.
-B address-conversion-mask
Convert all IP addresses in home-net to addresses
specified by address-conversion-mask. Used to
obfuscate IP addresses within binary logs. Specify
home-net with the '-h' switch. Note this is not
the same as $HOME_NET.
-c config-file
Use the rules located in file config-file.
-C Print the character data from the packet payload
only (no hex).
-d Dump the application layer data when displaying
packets in verbose or packet logging mode.
-D Run Snort in daemon mode. Alerts are sent to
/var/log/snort/alert unless otherwise specified.
-e Display/log the link layer packet headers.
-F bpf-file
Read BPF filters from bpf-file. This is handy for
people running Snort as a SHADOW replacement or
with a love Of super complex BPF filters. See the
"expressions" section of this man page for more
info on writing BPF fileters.
-g group
Change the group/GID Snort runs under to group
after initialization. This switch allows Snort to
drop root priveleges after it's initialization
phase has completed as a security measure.
-G ghetto-mode
Ghetto backwards compatibility switch, prints cross
reference info in the 1.7 format. Available modes
are basic and url.
-h home-net
Set the "home network" to home-net. The format of
this address variable is a network prefix plus a
CIDR block, such as 192.168.1.0/24. Once this
variable is set, all decoded packet logging will be
done relative to the home network address space.
This is useful because of the way that Snort for-
mats its ASCII log data. With this value set to
the local network, all decoded output will be
logged into decode directories with the address of
the foreign computer as the directory name, which
is very useful during traffic analysis.
-i interface
Sniff packets on interface.
-I Print out the receiving interface name in alerts.
-k checksum-mode
Tune the internal checksum verification functional-
ity with alert-mode. Valid checksum modes include
all, noip, notcp, noudp, noicmp, and none. All
activates checksum verification for all supported
protocols. Noip turns off IP checksum verifica-
tion, which is handy if the gateway router is
already dropping packets that fail their IP check-
sum checks. Notcp turns off TCP checksum verifica-
tion, all other checksum modes are on. noudp turns
off UDP checksum verification. Noicmp turns off
ICMP checksum verification. None turns off the
entire checksum verification subsystem.
-l log-dir
Set the output logging directory to log-dir. All
plain text alerts and packet logs go into this
directory. If this option is not specified, the
default logging directory is set to /var/log/snort.
-L binary-log-file
Set the filename of the binary log file to binary-
log-file. If this switch is not used, the default
name is a timestamp for the time that the file is
created plus "snort.log".
-M smb-hosts-file
Send WinPopup messages to the list of workstations
contained in the smb-hosts-file . This option
requires Samba to be resident and in the path of
the machine running Snort. The workstation file is
simple: each line of the file contains the SMB name
of the box to send the message to.
-m umask
Set the file mode creation mask to umask
-n packet-count
Process packet-count packets and exit.
-N Turn off packet logging. The program still gener-
ates alerts normally.
-o Change the order in which the rules are applied to
packets. Instead of being applied in the standard
Alert->Pass->Log order, this will apply them in
Pass->Alert->Log order.
-O Obfuscate the IP addresses when in ASCII packet
dump mode. This switch changes the IP addresses
that get printed to the screen/log file to
"xxx.xxx.xxx.xxx". If the homenet address switch
is set (-h), only addresses on the homenet will be
obfuscated while non- homenet IPs will be left vis-
ible. Perfect for posting to your favorite secu-
rity mailing list!
-p Turn off promiscuous mode sniffing.
-P snap-length
Set the packet snaplen to snap-length
-q Quiet operation. Don't display banner and initial-
ization information.
-r tcpdump-file
Read the tcpdump-formatted file tcpdump-file. This
will cause Snort to read and process the file fed
to it. This is useful if, for instance, you've got
a bunch of SHADOW files that you want to process
for content, or even if you've got a bunch of
reassembled packet fragments which have been writ-
ten into a tcpdump formatted file.
-s Send alert messages to syslog. On linux boxen,
they will appear in /var/log/secure, /var/log/mes-
sages on many other platforms.
-S variable=value
Set variable name "variable" to value "value".
This is useful for setting the value of a defined
variable name in a Snort rules file to a command
line specified value. For instance, if you define
a HOME_NET variable name inside of a Snort rules
file, you can set this value from it's predefined
value at the command line.
-t chroot
Changes Snort's root directory to chroot after ini-
tialization. Please note that all log/alert file-
names are relative to the chroot directory if
chroot is used.
-T Snort will start up in self-test mode, checking all
the supplied command line switches and rules files
that are handed to it and indicating that every-
thing is ready to proceed. This is a good switch
to use if daemon mode is going to be used, it veri-
fies that the Snort configuration that is about to
be used is valid and won't fail at run time.
-u user
Change the user/UID Snort runs under to user after
initialization.
-U Changes the timestamp in all logs to be in UTC
-v Be verbose. Prints packets out to the console.
There is one big problem with verbose mode: it's
slow. If you are doing IDS work with Snort, don't
use the '-v' switch, you WILL drop packets.
-V Show the version number and exit.
-X Dump the raw packet data starting at the link
layer. This switch overrides the
-y Include the year in alert and log files
-z The -z switch is used in concert with the stream4
preprocessor code. It takes advantage of stream4's
stateful inspection capabilities to reduce the
amount of spoofing that may be done against Snort.
By default, snort doesn't worry about the TCP state
of a packet when it's about to issue an alert. The
-z switch tells Snort to only allow alerts to be
generated for packets that are part of a known,
established session. This allows Snort to greatly
reduce the effect of anti-NIDS tools like stick and
snot.
-? Show the program usage statement and exit.
expression
selects which packets will be dumped. If no
expression is given, all packets on the net will be
dumped. Otherwise, only packets for which expres-
sion is `true' will be dumped.
The expression consists of one or more primitives.
Primitives usually consist of an id (name or num-
ber) preceded by one or more qualifiers. There are
three different kinds of qualifier:
type qualifiers say what kind of thing the id
name or number refers to. Possible types
are host, net and port. E.g., `host foo',
`net 128.3', `port 20'. If there is no type
qualifier, host is assumed.
dir qualifiers specify a particular transfer
direction to and/or from id. Possible
directions are src, dst, src or dst and src
and dst. E.g., `src foo', `dst net 128.3',
`src or dst port ftp-data'. If there is no
dir qualifier, src or dst is assumed. For
`null' link layers (i.e. point to point pro-
tocols such as slip) the inbound and out-
bound qualifiers can be used to specify a
desired direction.
proto qualifiers restrict the match to a particu-
lar protocol. Possible protos are: ether,
fddi, ip, arp, rarp, decnet, lat, sca,
moprc, mopdl, tcp and udp. E.g., `ether src
foo', `arp net 128.3', `tcp port 21'. If
there is no proto qualifier, all protocols
consistent with the type are assumed. E.g.,
`src foo' means `(ip or arp or rarp) src
foo' (except the latter is not legal syn-
tax), `net bar' means `(ip or arp or rarp)
net bar' and `port 53' means `(tcp or udp)
port 53'.
[`fddi' is actually an alias for `ether'; the
parser treats them identically as meaning ``the
data link level used on the specified network
interface.'' FDDI headers contain Ethernet-like
source and destination addresses, and often contain
Ethernet-like packet types, so you can filter on
these FDDI fields just as with the analogous Ether-
net fields. FDDI headers also contain other
fields, but you cannot name them explicitly in a
filter expression.]
In addition to the above, there are some special
`primitive' keywords that don't follow the pattern:
gateway, broadcast, less, greater and arithmetic
expressions. All of these are described below.
More complex filter expressions are built up by
using the words and, or and not to combine primi-
tives. E.g., `host foo and not port ftp and not
port ftp-data'. To save typing, identical quali-
fier lists can be omitted. E.g., `tcp dst port ftp
or ftp-data or domain' is exactly the same as `tcp
dst port ftp or tcp dst port ftp-data or tcp dst
port domain'.
Allowable primitives are:
dst host host
True if the IP destination field of the
packet is host, which may be either an
address or a name.
src host host
True if the IP source field of the packet is
host.
host host
True if either the IP source or destination
of the packet is host. Any of the above
host expressions can be prepended with the
keywords, ip, arp, or rarp as in:
ip host host
which is equivalent to:
ether proto \ip and host host
If host is a name with multiple IP
addresses, each address will be checked for
a match.
ether dst ehost
True if the ethernet destination address is
ehost. Ehost may be either a name from
/etc/ethers or a number (see ethers(3N) for
numeric format).
ether src ehost
True if the ethernet source address is
ehost.
ether host ehost
True if either the ethernet source or desti-
nation address is ehost.
gateway host
True if the packet used host as a gateway.
I.e., the ethernet source or destination
address was host but neither the IP source
nor the IP destination was host. Host must
be a name and must be found in both
/etc/hosts and /etc/ethers. (An equivalent
expression is
ether host ehost and not host host
which can be used with either names or num-
bers for host / ehost.)
dst net net
True if the IP destination address of the
packet has a network number of net. Net may
be either a name from /etc/networks or a
network number (see networks(4) for
details).
src net net
True if the IP source address of the packet
has a network number of net.
net net
True if either the IP source or destination
address of the packet has a network number
of net.
net net mask mask
True if the IP address matches net with the
specific netmask. May be qualified with src
or dst.
net net/len
True if the IP address matches net a netmask
len bits wide. May be qualified with src or
dst.
dst port port
True if the packet is ip/tcp or ip/udp and
has a destination port value of port. The
port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If
a name is used, both the port number and
protocol are checked. If a number or
ambiguous name is used, only the port number
is checked (e.g., dst port 513 will print
both tcp/login traffic and udp/who traffic,
and port domain will print both tcp/domain
and udp/domain traffic).
src port port
True if the packet has a source port value
of port.
port port
True if either the source or destination
port of the packet is port. Any of the
above port expressions can be prepended with
the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source
port is port.
less length
True if the packet has a length less than or
equal to length. This is equivalent to:
len <= length.
greater length
True if the packet has a length greater than
or equal to length. This is equivalent to:
len >= length.
ip proto protocol
True if the packet is an ip packet (see
ip(4P)) of protocol type protocol. Protocol
can be a number or one of the names icmp,
igrp, udp, nd, or tcp. Note that the iden-
tifiers tcp, udp, and icmp are also keywords
and must be escaped via backslash (\), which
is \\ in the C-shell.
ether broadcast
True if the packet is an ethernet broadcast
packet. The ether keyword is optional.
ip broadcast
True if the packet is an IP broadcast
packet. It checks for both the all-zeroes
and all-ones broadcast conventions, and
looks up the local subnet mask.
ether multicast
True if the packet is an ethernet multicast
packet. The ether keyword is optional.
This is shorthand for `ether[0] & 1 != 0'.
ip multicast
True if the packet is an IP multicast
packet.
ether proto protocol
True if the packet is of ether type proto-
col. Protocol can be a number or a name
like ip, arp, or rarp. Note these identi-
fiers are also keywords and must be escaped
via backslash (\). [In the case of FDDI
(e.g., `fddi protocol arp'), the protocol
identification comes from the 802.2 Logical
Link Control (LLC) header, which is usually
layered on top of the FDDI header. Tcpdump
assumes, when filtering on the protocol
identifier, that all FDDI packets include an
LLC header, and that the LLC header is in
so-called SNAP format.]
decnet src host
True if the DECNET source address is host,
which may be an address of the form
``10.123'', or a DECNET host name. [DECNET
host name support is only available on
Ultrix systems that are configured to run
DECNET.]
decnet dst host
True if the DECNET destination address is
host.
decnet host host
True if either the DECNET source or destina-
tion address is host.
ip, arp, rarp, decnet
Abbreviations for:
ether proto p
where p is one of the above protocols.
lat, moprc, mopdl
Abbreviations for:
ether proto p
where p is one of the above protocols. Note
that Snort does not currently know how to
parse these protocols.
tcp, udp, icmp
Abbreviations for:
ip proto p
where p is one of the above protocols.
expr relop expr
True if the relation holds, where relop is
one of >, <, >=, <=, =, !=, and expr is an
arithmetic expression composed of integer
constants (expressed in standard C syntax),
the normal binary operators [+, -, *, /, &,
|], a length operator, and special packet
data accessors. To access data inside the
packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp,
tcp, udp, or icmp, and indicates the proto-
col layer for the index operation. The byte
offset, relative to the indicated protocol
layer, is given by expr. Size is optional
and indicates the number of bytes in the
field of interest; it can be either one,
two, or four, and defaults to one. The
length operator, indicated by the keyword
len, gives the length of the packet.
For example, `ether[0] & 1 != 0' catches all
multicast traffic. The expression `ip[0] &
0xf != 5' catches all IP packets with
options. The expression `ip[6:2] & 0x1fff =
0' catches only unfragmented datagrams and
frag zero of fragmented datagrams. This
check is implicitly applied to the tcp and
udp index operations. For instance, tcp[0]
always means the first byte of the TCP
header, and never means the first byte of an
intervening fragment.
Primitives may be combined using:
A parenthesized group of primitives and
operators (parentheses are special to the
Shell and must be escaped).
Negation (`!' or `not').
Concatenation (`&&' or `and').
Alternation (`||' or `or').
Negation has highest precedence. Alternation and
concatenation have equal precedence and associate
left to right. Note that explicit and tokens, not
juxtaposition, are now required for concatenation.
If an identifier is given without a keyword, the
most recent keyword is assumed. For example,
not host vs and ace
is short for
not host vs and host ace
which should not be confused with
not ( host vs or ace )
Expression arguments can be passed to Snort as
either a single argument or as multiple arguments,
whichever is more convenient. Generally, if the
expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces
before being parsed.
RULES
Snort uses a simple but flexible rules language to
describe network packet signatures and associate them with
actions. The current rules document can be found at
http://www.snort.org/snort_rules.html.
NOTES
The following signals have the specified effect when sent
to the daemon process using the kill(1) command:
SIGHUP Causes the daemon to close all opened files and
restart. Please note that this will only work if
the full pathname is used to invoke snort in daemon
mode, otherwise snort will just exit with an error
message being sent to syslogd(8)
SIGUSR1
Causes the program to dump its current packet sta-
tistical information to the cosole or syslogd(8) if
in daemon mode.
Any other signal causes the daemon to close all opened
files and exit.
HISTORY
Snort has been freely available under the GPL license
since 1998.
DIAGNOSTICS
Snort returns a 0 on a successful exit, 1 if it exits on
an error.
BUGS
After consulting the BUGS file included with the source
distribution, send bug reports to snort-
devel@lists.sourceforge.net
AUTHOR
Martin Roesch <roesch@snort.org>
SEE ALSOtcpdump(1), pcap(3)
July 2001 SNORT(8)