Classnotes | UNIX03 | RecentChanges | Preferences Snort has a few usages from the command line which we will now examine before we look much into the configuration of Snort.
Modes of Operation
There are three main modes of operation for Snort.
Sniffer mode
Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console:
# snort -v
will print out the TCP/IP packet headers to the screen. If you want to see the application data in transit, then you need to append the "d" option. This instructs Snort to display the packet data as well as the headers.
# snort -vd
If you want an even more descriptive display, showing the data link layer headers do this:
# snort -vde
Packet logger mode
Packet logger mode logs the packets to the disk. When Snort runs in this mode, it collects every packet it sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram. The basic usage for this mode is as follows:
# snort -dev -l /path/log
(This assumes that /path/log exists. If it does not, snort will exit with an error).
If we wished to focus on a given network, we could do so by using the "-h" option:
# snort -dev -l /path/log -h 192.168.1.0/24
If you're on a high speed network or you want to log the packets into a more compact form for later analysis you should consider logging in binary mode. Binary mode logs the packets in tcpdump format to a single binary file in the logging directory:
# snort -l /path/log -b
Network intrusion detection mode
Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set and perform several actions based upon what it sees.
To enable network intrusion detection (NIDS) mode (so that you don't record every single packet sent down the wire), try this:
Where snort.conf is the name of your rules file. This will apply the rules set in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. If you don't specify an output directory for the program, it will default to /var/log/snort.
One thing to note about the last command line is that if Snort is going to be used in a long term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display.
It's also not necessary to record the data link headers for most applications, so it's not necessary to specify the -e switch either.
This will configure Snort to run in it's most basic NIDS form, logging packets that the rules tell it to in plain ASCII to a hierarchical directory structure (just like packet logger mode).
The NIDS mode has numerous useful options. Consult the man pages or the online documenation at http://www.snort.org/docs/ for more information.
