Skip to content

threatstream/snort

Repository files navigation

Snort Version 2.9.6.2

by Martin Roesch and The Snort Team (http://www.snort.org/team.html)

Distribution Site:
http://www.snort.org

******************************************************************************
COPYRIGHT

Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 2001-2013 Sourcefire Inc.
Copyright (C) 1998-2001 Martin Roesch

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License Version 2 as
published by the Free Software Foundation.  You may not use, modify or
distribute this program under any other version of the GNU General
Public License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

Some of this code has been taken from tcpdump, which was developed
by the Network Research Group at Lawrence Berkeley National Lab,
and is copyrighted by the University of California Regents.

******************************************************************************

DESCRIPTION

Snort is an open source network intrusion detection and prevention system.  It
is capable of performing real-time traffic analysis, alerting, blocking and 
packet logging on IP networks.  It utilizes a combination of protocol analysis 
and pattern matching in order to detect a anomalies, misuse and attacks.  
Snort uses a flexible rules language to describe activity that can be considered
malicious or anomalous as well as an analysis engine that incorporates a 
modular plugin architecture.  Snort is capable of detecting and responding in
real-time, sending alerts, performing session sniping, logging packets, or
dropping sessions/packets when deployed in-line.

Snort has three primary functional modes.  It can be used as a packet sniffer 
like tcpdump(1), a packet logger (useful for network traffic
debugging, etc), or as a full blown network intrusion detection and prevention
system.

Please read the snort_manual.pdf file that should be included with this 
distribution for full documentation on the program as well as a guide to 
getting started.


******************************************************************************

[*][USAGE]

Command line: 

	snort -[options] <filters>

Options:
    The full list of options supported is displayed using the option --help.

[*][FILTERS]:

     The "filters" are standard BPF style filters as seen in tcpdump.  Look
at the man page for snort for docs on how to use it properly.  In general,
you can give it a host, net or protocol to filter on and some logical statements
to tie it together and get the specific traffic you're interested in.  For 
example:

[zeus ~]# ./snort -h 192.168.1.0/24 -d -v host 192.168.1.1

records the traffic to and from host 192.168.1.1.

[zeus ~]# ./snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1

records all traffic on the 192.168.1.0/24 class C subnet, but not traffic 
to/from 192.168.1.1.  Notice that the command line data specified after the
"-h" switch is formated differently from the BPF commands provided at the end 
of the command line.  Sorry for the confusion, but I like the CIDR notation and
I'm not rewriting libpcap to make it consistent!  Anyway, you get the picture.
Mail me if you have trouble with it.

You can use the -F switch to read your BPF filters in from a file.  


[*][RULES]:
      
-------------------------------------------------------------------------
NOTE: The "official" rules document these days is available at:

http://www.snort.org/docs/writing_rules/

and is also usually distributed as snort_manual.pdf in the distro.  If
you don't have this file in your distribution of Snort, you can get it from
www.snort.org.
-------------------------------------------------------------------------

Please read the USAGE file or the snort_manual.pdf for more info!

******************************************************************************
/* $Id$ */