Man page for apt-get snort Command
This tutorial shows the man page for man snort in linux.
Open terminal with 'su' access and type the command as shown below:
Result of the Command Execution shown below:
Snort open source network intrusion detection system
snort [ bCdDeEfHIMNoOpqQsTUvVwWxXy?] [ A alert mode ] [ B address con
version mask ] [ c rules file ] [ F bpf file ] [ g grpname ] [ G id ]
[ h home net ] [ i interface ] [ J port ] [ k checksum mode ] [ K log
ging mode ] [ l log dir ] [ L bin log file ] [ m umask ] [ n packet
count ] [ P snap length ] [ r tcpdump file ] [ R name ] [ S vari
able=value ] [ t chroot_directory ] [ u usrname ] [ Z pathname ]
[ logid id ] [ perfmon file pathname ] [ pid path pathname ]
[ snaplen snap length ] [ help ] [ version ] [ dynamic engine lib
file ] [ dynamic engine lib dir directory ] [ dynamic detection lib
file ] [ dynamic detection lib dir directory ] [ dump dynamic rules
directory ] [ dynamic preprocessor lib file ] [ dynamic preprocessor
lib dir directory ] [ alert before pass ] [ treat drop as alert ]
[ process all events ] [ create pidfile ] [ nolock pidfile ] [ dis
able inline initialization ] [ pcap single= tcpdump file ] [ pcap
filter= filter ] [ pcap list= list ] [ pcap dir= directory ] [ pcap
file= file ] [ pcap no filter ] [ pcap reset ] [ pcap show count ]
[ conf error out ] [ require rule sid ] expression
Snort is an open source network intrusion detection system, capable of
performing real time traffic analysis and packet logging on IP net
works. It can perform protocol analysis, content searching/matching
and can be used to detect a variety of attacks and probes, such as buf
fer overflows, stealth port scans, CGI attacks, SMB probes, OS finger
printing attempts, and much more. Snort uses a flexible rules language
to describe traffic that it should collect or pass, as well as a detec
tion engine that utilizes a modular plugin architecture. Snort also
has a modular real time alerting capability, incorporating alerting and
logging plugins for syslog, a ASCII text files, UNIX sockets, database
(Mysql/PostgreSQL/Oracle/ODBC) or XML.
Snort has three primary uses. It can be used as a straight packet
sniffer like tcpdump(1), a packet logger (useful for network traffic
debugging, etc), or as a full blown network intrusion detection system.
Snort logs packets in tcpdump(1) binary format, to a database or in
Snort's decoded ASCII format to a hierarchy of logging directories that
are named based on the IP address of the "foreign" host.
A alert mode
Alert using the specified alert mode. Valid alert modes include
fast, full, none, and unsock. Fast writes alerts to the default
"alert" file in a single line, syslog style alert message. Full
writes the alert to the "alert" file with the full decoded
header as well as the alert message. None turns off alerting.
Unsock is an experimental mode that sends the alert information
out over a UNIX socket to another process that attaches to that
b Log packets in a tcpdump(1) formatted file. All packets are
logged in their native binary state to a tcpdump formatted log
file named with the snort start timestamp and "snort.log". This
option results in much faster operation of the program
since it doesn't have to spend time in the packet binary >text
converters. Snort can keep up pretty well with 100Mbps networks
in ' b' mode. To choose an alternate name for the binary log
file, use the ' L' switch.
B address conversion mask
Convert all IP addresses in home net to addresses specified by
address conversion mask. Used to obfuscate IP addresses within
binary logs. Specify home net with the ' h' switch. Note this
is not the same as $HOME_NET.
c config file
Use the rules located in file config file.
C Print the character data from the packet payload only (no hex).
d Dump the application layer data when displaying packets in ver
bose or packet logging mode.
D Run Snort in daemon mode. Alerts are sent to
/var/log/snort/alert unless otherwise specified.
e Display/log the link layer packet headers.
E *WIN32 ONLY* Log alerts to the Windows Event Log.
f Activate PCAP line buffering
F bpf file
Read BPF filters from bpf file. This is handy for people run
ning Snort as a SHADOW replacement or with a love Of super com
plex BPF filters. See the "expressions" section of this man
page for more info on writing BPF fileters.
Change the group/GID Snort runs under to group after initializa
tion. This switch allows Snort to drop root priveleges after
it's initialization phase has completed as a security measure.
G id Use id as a base event ID when logging events. Useful for dis
tinguishing events logged to the same database from multiple
h home net
Set the "home network" to home net. The format of this address
variable is a network prefix plus a CIDR block, such as
192.168.1.0/24. Once this variable is set, all decoded packet
logging will be done relative to the home network address space.
This is useful because of the way that Snort formats its ASCII
log data. With this value set to the local network, all decoded
output will be logged into decode directories with the address
of the foreign computer as the directory name, which is very
useful during traffic analysis.
H Force hash tables to be deterministic instead of using a random
number generator for the seed & scale. Useful for testing and
generating repeatable results with the same traffic.
Sniff packets on interface.
I Print out the receiving interface name in alerts.
Use port to read packets when running inline mode on system with
k checksum mode
Tune the internal checksum verification functionality with
alert mode. Valid checksum modes include all, noip, notcp,
noudp, noicmp, and none. All activates checksum verification
for all supported protocols. Noip turns off IP checksum verifi
cation, which is handy if the gateway router is already dropping
packets that fail their IP checksum checks. Notcp turns off TCP
checksum verification, all other checksum modes are on. noudp
turns off UDP checksum verification. Noicmp turns off ICMP
checksum verification. None turns off the entire checksum veri
K logging mode
Select a packet logging mode. The default is pcap. logging
mode. Valid logging modes include pcap, ascii, and none. Pcap
logs packets through the pcap library into pcap (tcpdump) for
mat. Ascii logs packets in the old "directories and files" for
mat with packet printouts in each file. None Turns off packet
l log dir
Set the output logging directory to log dir. All plain text
alerts and packet logs go into this directory. If this option
is not specified, the default logging directory is set to
L binary log file
Set the filename of the binary log file to binary log file. If
this switch is not used, the default name is a timestamp for the
time that the file is created plus "snort.log".
Set the file mode creation mask to umask
M Log console messages to syslog when not running daemon mode.
This switch has no impact on logging of alerts.
n packet count
Process packet count packets and exit.
N Turn off packet logging. The program still generates alerts
O Obfuscate the IP addresses when in ASCII packet dump mode. This
switch changes the IP addresses that get printed to the
screen/log file to "xxx.xxx.xxx.xxx". If the homenet address
switch is set ( h), only addresses on the homenet will be obfus
cated while non homenet IPs will be left visible. Perfect for
posting to your favorite security mailing list!
p Turn off promiscuous mode sniffing.
P snap length
Set the packet snaplen to snap length . By default, this is set
q Quiet operation. Don't display banner and initialization infor
Q Read packets from iptables/IPQ (Linux only) when running in line
r tcpdump file
Read the tcpdump formatted file tcpdump file. This will cause
Snort to read and process the file fed to it. This is useful
if, for instance, you've got a bunch of SHADOW files that you
want to process for content, or even if you've got a bunch of
reassembled packet fragments which have been written into a tcp
dump formatted file.
Use name as a suffix to the snort pidfile.
s Send alert messages to syslog. On linux boxen, they will appear
in /var/log/secure, /var/log/messages on many other platforms.
Set variable name "variable" to value "value". This is useful
for setting the value of a defined variable name in a Snort
rules file to a command line specified value. For instance, if
you define a HOME_NET variable name inside of a Snort rules
file, you can set this value from it's predefined value at the
Changes Snort's root directory to chroot after initialization.
Please note that all log/alert filenames are relative to the
chroot directory if chroot is used.
T Snort will start up in self test mode, checking all the supplied
command line switches and rules files that are handed to it and
indicating that everything is ready to proceed. This is a good
switch to use if daemon mode is going to be used, it verifies
that the Snort configuration that is about to be used is valid
and won't fail at run time. Note, Snort looks for either
/etc/snort.conf or ./snort.conf. If your config lives else
where, use the c option to specify a valid config file.
Change the user/UID Snort runs under to user after initializa
U Changes the timestamp in all logs to be in UTC
v Be verbose. Prints packets out to the console. There is one
big problem with verbose mode: it's slow. If you are doing IDS
work with Snort, don't use the ' v' switch, you WILL drop pack
V Show the version number and exit.
w Show management frames if runnong on an 802.11 (wireless) net
W *WIN32 ONLY* Enumerate the network interfaces available.
x Exit if Snort configuration problems occur such as duplicate
gid/sid or flowbits without Stream5.
X Dump the raw packet data starting at the link layer. This
switch overrides the ' d' switch.
y Include the year in alert and log files
Set the perfmonitor preprocessor path/filename to pathname.
? Show the program usage statement and exit.
Same as G.
perfmon file pathname
Same as Z.
pid path directory
Specify the directory for the Snort PID file.
snaplen snap length
Same as P.
help Same as ?
Same as V
dynamic engine lib file
Load a dynamic detection engine shared library specified by
dynamic engine lib dir directory
Load all dynamic detection engine shared libraries specified
dynamic detection lib file
Load a dynamic detection rules shared library specified by file.
dynamic detection lib dir directory
Load all dynamic detection rules shared libraries specified from
dump dynamic rules directory
Create stub rule files from all loaded dynamic detection rules
libraries. Files will be created in directory. This is
required to be done prior to running snort using those detection
rules and the generated rules files must be included in
dynamic preprocessor lib file
Load a dynamic preprocessor shared library specified by file.
dynamic preprocessor lib dir directory
Load all dynamic preprocessor shared libraries specified from
alert before pass
Process alert, drop, sdrop, or reject before pass. Default is
pass before alert, drop, etc.
treat drop as alert
Converts drop, sdrop, and reject rules into alert rules during
process all events
Process all triggered events in group order, per Rule Ordering
configuration. Default stops after first group.
pid path directory
Specify the path for Snort's PID file.
Create PID file, even when not in Daemon mode.
Do not try to lock Snort PID file.
disable inline initialization
Do not initialize IPTables when in inline mode. To be used with
T to test for a valid configuration without requiring opening
inline devices and adversely affecting traffic flow.
pcap single=tcpdump file
Same as r. Added for completeness.
Shell style filter to apply when getting pcaps from file or
directory. This filter will apply to any pcap file or pcap
dir arguments following. Use pcap no filter to delete filter
for following pcap file or pcap dir arguments or specifiy
pcap filter again to forget previous filter and to apply to
following pcap file or pcap dir arguments.
A space separated list of pcaps to read.
A directory to recurse to look for pcaps. Sorted in ascii
File that contains a list of pcaps to read. Can specifiy path
to pcap or directory to recurse to get pcaps.
pcap no filter
Reset to use no filter when getting pcaps from file or direc
If reading multiple pcaps, reset snort to post configuration
state before reading next pcap. The default, i.e. without this
option, is not to reset state.
Print a line saying what pcap is currently being read.
Signal termination after
callbacks from pcap_dispatch(),
showing the time it takes from signaling until pcap_close() is
conf error out
Same as x.
require rule sid
Require an SID for every rule to be correctly hreshold all
selects which packets will be dumped. If no expression is
given, all packets on the net will be dumped. Otherwise, only
packets for which expression is `true' will be dumped.
The expression consists of one or more primitives. Primitives
usually consist of an id (name or number) preceded by one or
more qualifiers. There are three different kinds of qualifier:
type qualifiers say what kind of thing the id name or number
refers to. Possible types are host, net and port. E.g.,
`host foo', `net 128.3', `port 20'. If there is no type
qualifier, host is assumed.
dir qualifiers specify a particular transfer direction to
and/or from id. Possible directions are src, dst, src or
dst and src and dst. E.g., `src foo', `dst net 128.3',
`src or dst port ftp data'. If there is no dir quali
fier, src or dst is assumed. For `null' link layers
(i.e. point to point protocols such as slip) the inbound
and outbound qualifiers can be used to specify a desired
proto qualifiers restrict the match to a particular protocol.
Possible protos are: ether, fddi, ip, arp, rarp, decnet,
lat, sca, moprc, mopdl, tcp and udp. E.g., `ether src
foo', `arp net 128.3', `tcp port 21'. If there is no
proto qualifier, all protocols consistent with the type
are assumed. E.g., `src foo' means `(ip or arp or rarp)
src foo' (except the latter is not legal syntax), `net
bar' means `(ip or arp or rarp) net bar' and `port 53'
means `(tcp or udp) port 53'.
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the speci
fied network interface.'' FDDI headers contain Ethernet like
source and destination addresses, and often contain Ethernet
like packet types, so you can filter on these FDDI fields just
as with the analogous Ethernet fields. FDDI headers also con
tain other fields, but you cannot name them explicitly in a fil
In addition to the above, there are some special `primitive'
keywords that don't follow the pattern: gateway, broadcast,
less, greater and arithmetic expressions. All of these are
More complex filter expressions are built up by using the words
and, or and not to combine primitives. E.g., `host foo and not
port ftp and not port ftp data'. To save typing, identical
qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp
data or domain' is exactly the same as `tcp dst port ftp or tcp
dst port ftp data or tcp dst port domain'.
Allowable primitives are:
dst host host
True if the IP destination field of the packet is host,
which may be either an address or a name.
src host host
True if the IP source field of the packet is host.
True if either the IP source or destination of the packet
is host. Any of the above host expressions can be
prepended with the keywords, ip, arp, or rarp as in:
ip host host
which is equivalent to:
ether proto \ip and host host
If host is a name with multiple IP addresses, each
address will be checked for a match.
ether dst ehost
True if the ethernet destination address is ehost. Ehost
may be either a name from /etc/ethers or a number (see
ethers(3N) for numeric format).
ether src ehost
True if the ethernet source address is ehost.
ether host ehost
True if either the ethernet source or destination address
True if the packet used host as a gateway. I.e., the
ethernet source or destination address was host but nei
ther the IP source nor the IP destination was host. Host
must be a name and must be found in both /etc/hosts and
/etc/ethers. (An equivalent expression is
ether host ehost and not host host
which can be used with either names or numbers for host /
dst net net
True if the IP destination address of the packet has a
network number of net. Net may be either a name from
/etc/networks or a network number (see networks(4) for
src net net
True if the IP source address of the packet has a network
number of net.
True if either the IP source or destination address of
the packet has a network number of net.
net net mask mask
True if the IP address matches net with the specific net
mask. May be qualified with src or dst.
True if the IP address matches net a netmask len bits
wide. May be qualified with src or dst.
dst port port
True if the packet is ip/tcp or ip/udp and has a destina
tion port value of port. The port can be a number or a
name used in /etc/services (see tcp(4P) and udp(4P)). If
a name is used, both the port number and protocol are
checked. If a number or ambiguous name is used, only the
port number is checked (e.g., dst port 513 will print
both tcp/login traffic and udp/who traffic, and port
domain will print both tcp/domain and udp/domain traf
src port port
True if the packet has a source port value of port.
True if either the source or destination port of the
packet is port. Any of the above port expressions can be
prepended with the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source port is port.
True if the packet has a length less than or equal to
length. This is equivalent to:
len <= length.
True if the packet has a length greater than or equal to
length. This is equivalent to:
len >= length.
ip proto protocol
True if the packet is an ip packet (see ip(4P)) of proto
col type protocol. Protocol can be a number or one of
the names icmp, igrp, udp, nd, or tcp. Note that the
identifiers tcp, udp, and icmp are also keywords and must
be escaped via backslash (\), which is \ in the C shell.
True if the packet is an ethernet broadcast packet. The
ether keyword is optional.
True if the packet is an IP broadcast packet. It checks
for both the all zeroes and all ones broadcast conven
tions, and looks up the local subnet mask.
True if the packet is an ethernet multicast packet. The
ether keyword is optional. This is shorthand for
`ether & 1 != 0'.
True if the packet is an IP multicast packet.
ether proto protocol
True if the packet is of ether type protocol. Protocol
can be a number or a name like ip, arp, or rarp. Note
these identifiers are also keywords and must be escaped
via backslash (\). [In the case of FDDI (e.g., `fddi
protocol arp'), the protocol identification comes from
the 802.2 Logical Link Control (LLC) header, which is
usually layered on top of the FDDI header. Tcpdump
assumes, when filtering on the protocol identifier, that
all FDDI packets include an LLC header, and that the LLC
header is in so called SNAP format.]
decnet src host
True if the DECNET source address is host, which may be
an address of the form ``10.123'', or a DECNET host name.
[DECNET host name support is only available on Ultrix
systems that are configured to run DECNET.]
decnet dst host
True if the DECNET destination address is host.
decnet host host
True if either the DECNET source or destination address
ip, arp, rarp, decnet
ether proto p
where p is one of the above protocols.
lat, moprc, mopdl
ether proto p
where p is one of the above protocols. Note that Snort
does not currently know how to parse these protocols.
tcp, udp, icmp
ip proto p
where p is one of the above protocols.
expr relop expr
True if the relation holds, where relop is one of >, <,
>=, <=, =, !=, and expr is an arithmetic expression com
posed of integer constants (expressed in standard C syn
tax), the normal binary operators [+, , *, /, &, |], a
length operator, and special packet data accessors. To
access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or
icmp, and indicates the protocol layer for the index
operation. The byte offset, relative to the indicated
protocol layer, is given by expr. Size is optional and
indicates the number of bytes in the field of interest;
it can be either one, two, or four, and defaults to one.
The length operator, indicated by the keyword len, gives
the length of the packet.
For example, `ether & 1 != 0' catches all multicast
traffic. The expression `ip & 0xf != 5' catches all
IP packets with options. The expression `ip[6:2] & 0x1fff
= 0' catches only unfragmented datagrams and frag zero of
fragmented datagrams. This check is implicitly applied
to the tcp and udp index operations. For instance,
tcp always means the first byte of the TCP header, and
never means the first byte of an intervening fragment.
Primitives may be combined using:
A parenthesized group of primitives and operators (paren
theses are special to the Shell and must be escaped).
Negation (`!' or `not').
Concatenation (`&' or `and').
Alternation (`||' or `or').
Negation has highest precedence. Alternation and concatenation
have equal precedence and associate left to right. Note that
explicit and tokens, not juxtaposition, are now required for
If an identifier is given without a keyword, the most recent
keyword is assumed. For example,
not host vs and ace
is short for
not host vs and host ace
which should not be confused with
not ( host vs or ace )
Expression arguments can be passed to Snort as either a single
argument or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it
is easier to pass it as a single, quoted argument. Multiple
arguments are concatenated with spaces before being parsed.
Instead of having Snort listen on an interface, you can give it a
packet capture to read. Snort will read and analyze the packets as if
they came off the wire. This can be useful for testing and debugging
Read a single pcap
$ snort r foo.pcap
$ snort pcap single=foo.pcap
Read pcaps from a file
$ cat foo.txt
$ snort pcap file=foo.txt
This will read foo1.pcap, foo2.pcap and all files under
/home/foo/pcaps. Note that Snort will not try to determine
whether the files under that directory are really pcap files or
Read pcaps from a command line list
$ snort pcap list="foo1.pcap foo2.pcap foo3.pcap"
This will read foo1.pcap, foo2.pcap and foo3.pcap.
Read pcaps under a directory
$ snort pcap dir="/home/foo/pcaps"
This will include all of the files under /home/foo/pcaps.
$ cat foo.txt
$ snort pcap filter="*.pcap" pcap file=foo.txt
$ snort pcap filter="*.pcap" pcap dir=/home/foo/pcaps
The above will only include files that match the shell pattern
"*.pcap", in other words, any file ending in ".pcap".
$ snort pcap filter="*.pcap pcap f