SNORT FAQ Version 1.8.1 - 13 August 2001Suggestions for enhancements of this document arealways welcome please email them to Dragos Ruiu at dr@kyx.netThe following people have contributed to this faq:Marty RoeschFyodor YarochkinDragos RuiuJed PickelMax VisionMichael DavisJoe McAlerneyJoe StewartErek AdamsRoman DanyliwChristopher CramerFrank KnobbePhil Wood   Toby KohlenbergRamin AlidoustiJim HankinsDennis HollingworthPaul Howell Erek AdamsStef Mit    Ofir ArkinJason HaarBlake FrantzLars Norman S鴑dergaardBrent Erickson-----------------------------------------------------------------------------Frequently Asked Questions about "snort"Section 1: Snort Background--------------------------1.1 Q: How do you pronounce the names of some of these guys who work on snort?1.2 Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?1.3 Q: Where do I get more help on snort?1.4 Q: Where can I get more reading and courses about IDS?1.5 Q: Does Snort handle IP defragmentation?1.6 Q: Does Snort perform TCP stream reassembly? 1.7 Q: Does Snort do stateful protocol analysis?1.8 Q: I'm on a switched network, can I still use Snort?1.9 Q: I've heard IDSes are vulnerable to noise generators like "Stick" and        "Snot", is snort vulnerable ?1.10 Q: I've heard it is possible to use polymorphic mutators on shellcode?1.11 Q: Does Snort log the full packets that it generates alerts on? Section 2: Getting Started--------------------------2.1 Q: How do I run snort?2.2 Q: Where are my log files located?  What are they named?2.3 Q: Where's a good place to physically put a Snort sensor?2.4 Q: Libpcap complains about permissions problems, what's going on?2.5 Q: Why does snort complain about /var/log/snort?2.6 Q: I've got RedHat and ....2.7 Q: Where do I get the latest version of libpcap?2.8 Q: Why does building snort complain about missing references?2.9 Q: Why does building snort fail with errors about yylex and lex_init?2.10 Q: I Want to build a snort box.  Will this <Insert List> handle         <this much> traffic?2.11 Q: What are CIDR netmasks?2.12 Q: What is the use of the "-r" switch to read tcpdump files? Section 3: Configuring Snort----------------------------3.1 Q: How do I setup snort on a 'stealth' interface?3.2 Q: How do I run snort on an interface with no IP address?3.3 Q: My network spans multiple subnets.  How do I define HOME_NET?3.4 Q: How can I run snort on multiple interfaces simultaneously?3.5 Q: IP address is assigned dynamically to my interface, can I use snort        with it?3.6 Q: I have one network card and two aliases, how can I force snort to        "listen" on both addresses ? 3.7 Q: How do I ignore traffic coming from a particular host or hosts?3.8 Q: How do I get Snort to log the packet payload as well as the header? 3.9 Q: Why are there no subdirectories under /var/log/snort for IP addresses?3.10 Q: How do you get snort to ignore some traffic?3.11 Q: Why does the portscan plugin log "stealth" packets even though the         host is in the portscan-ignorehosts list?3.12 Q: Which takes precedence, commandline or rule file ?3.13 Q: How does rule ordering work?3.14 Q: How do I configure stream4?3.15 Q: Where does one obtain new/modifed rules? How do you merge them in?3.16 Q: How do you get the latest snort via cvs?Section 4: Snort Rules and Alerts---------------------------------4.1 Q: When I start snort I get errors from my rules files4.2 Q: Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?"4.3 Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully        quiet...4.4 Q: I'm getting large amounts of some alerts type. What should I do?  Where       can I go to find out more about it?4.5 Q: What about all these false alarms?4.6 Q: What are all these ICMP files in subdirectories under /var/log/snort?4.7 Q: Why does the program generate alerts on packets that have pass rules? 4.8 Q: What are all these "ICMP destination unreachable" alerts?4.9 Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?4.10 Q: What are these IDS codes in the alert names?4.11 Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?4.12 Q: What about "CGI Null Byte attacks"?4.13 Q: Why do certain alerts seem to have 'unknown' IPs in ACID?4.14 Q: Can priorities be assigned to Alerts using ACID? 4.15 Q: What about 'SMB Name Wildcard' alerts?4.16 Q: What the heck is a SYNFIN scan?4.17 Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null         Byte attack detected" false positives.  How can I turn this detection         off?4.18 Q: How do I test snort alerts and logging?Section 5: Getting Fancy------------------------5.1 Q: How do I process those snort logs into HTML reports?5.2 Q: How do I log to multiple databases?5.3 Q: How can I test snort without having an ethnernet card or a connection        to other computers? 5.4 Q: How to start snort as a win32 service?5.5 Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?5.6 Q: Snort complains about the "react" keyword...5.7 Q: How do I get snort to e-mail me alerts?5.8 Q: How do I log a specific type of traffic and send alerts to syslog?5.9 Q: Is it possible to have snort call an external program when an alert        is raised?   Section 6: Problems-------------------6.1 Q: I think I found a bug in snort. Now what?6.2 Q: SMB alerts aren't working, what's wrong? 6.3 Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?6.4 Q: Snort says "Ran Out Of Space". Huh?6.5 Q: I'm having problems getting snort to log to a database...6.6 Q: My ACID db connection times-out when performing long operations (e.g.   deleting a large number of alerts) 6.7 Q: Why does snort report "Packet loss statistics are unavailable under        Linux"?6.8 Q: My /var/log/snort directory get very large.....6.9 Q: Why does the 'error deleting alert' message occur when attempting to        delete an alert with ACIO? 6.10 Q: ACID appears to be broken in Lynx 6.11 Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)'         warnings, what's wrong.6.12 Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid         argument6.13 Q: I am getting snort dying with 'can not create file' error and I have         plenty of diskspace, what's wrong?6.14 Q: I am using Snort on Windows and receive an OpenPcap() error upon         startup:6.15 Q: Snort is not logging to my database6.16 Q: Portscans are not being logged to my database6.17 Q: Snort is not logging to syslog6.18 Q: I am still getting bombarded with spp_portscan messages even though         the IP that I am getting the portscan from is in my $DNS_SERVERs var6.19 Q: Why chrooted snort die when I send it a SIGHUP? 6.20 Q: My snort crashes, how do I restart it? 6.21 Q: Why can't snort see one of either the 10Mbps or 100Mbps traffic on my         autoswitch hub--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--***************************************Section 1: SNORT BACKGROUND***************************************1.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do you pronounce the names of some of these guys who work on snort?A: For the record, 'Roesch' is pronounced like 'fresh' without the 'f'.   Additionally, 'Ruiu' is pronounced like 'screw you' without the 'sc'.  And   Jed's last name is like "pick-el", not "pickle". :)1.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?A: Nope. fyodor@insecure.org is the author of nmap, and he uses the   same pseudonym as other snort Fyodor's real surname. Yeah, messes up   my mailbox too, but I think it's too late to change either of them :-).1.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Where do I get more help on snort?A: http://lists.sourceforge.net/mailman/listinfo/snort-users   Also look in the USAGE file in the distribution.1.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q:  Where can I get more reading and courses about IDS?A:  Sans has some courses:     http://www.sans.org        So does Usenix:     http://www.usenix.org/event/sec01/tutorials/tut.html#t1        And Networld/Interop:     http://www.key3media.com/interop/atlanta2001/conf/info/WorkshopW955_285.html    There are also some books you might want to look into getting.	Network Intrusion Detection An Analyst's Handbook	By Stephen Northcutt	ISBN 0735708681	TCP/IP Illustrated, Volume 1 The Protocols	By W. Richard Stevens	ISBN 0201633469    Intrusion Detection    By Rebecca G. Bace    ISBN 1578701856  1.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Does Snort handle IP defragmentation?A: Yes, use "preprocessor frag2"  or "preprocessor defrag" or "preprocessor    defrag2"   Each has slightly different capabilities.1.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Does Snort perform TCP stream reassembly? A: Yes, check out the stream4 preprocessor that does stateful analysis   session loggin, tcp reassembly and much much more... Check the FAQ question   on configuring stream4.1.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Does Snort perform stateful protocol analysis? A: Yes, see above answer regarding stream4 preprocessor1.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I'm on a switched network, can I still use Snort?A: This depends on the type of switch you have.  If it can mirror traffic, you   can direct it to the port that your Snort box is on.1.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I've heard IDSes are vulnerable to noise generators like "Stick" and    "Snot", is snort vulnerable ?A: It is now pssible to defeat these kids of noise generators with   the stream4 preprocessor.  Even without this enabled snort will    weather the alert storm without falling over or losing a lot of    alerts due to its highly optimized nature... and using these   kinds of gimmicks hardly qualifies as executing a stealthy attack...1.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I've heard it is possible to use polymorphic mutators on shellcode?A: Yes, and this could defeat some of the NOP sled detection signatures   but the ordinary exploit rules should not be affected by this kind   of obfuscation. As well the SPADE statistical anomaly detector may   detect some of these attacks, and another defense is being prepared   for the next version of snort...1.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Does Snort log the full packets that it generates alerts on? A: Yes, they should be in the directory that has the same IP address as the   source host of the packet which generated the alert.     --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--***************************************Section 2: GETTING STARTED***************************************2.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I run snort?A: Run Snort in sniffer mode (snort -dvi eth0) and make sure it can see the   packets.  Then run it with the HOME_NET set appropriately for the network   you're defending in your rules file.  A default rules file comes with the   snort distribution and is called "snort.conf" You can run this basic ruleset   with the following command line:     snort -Afull -c snort.conf   If it's all set right, once it's running do an "ifconfig -a" and make sure   the interface is in promiscuous mode (it'll say so in the options section of   the printout).  If it's not, there should be a way to set it manually.   2.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Where are my log files located?  What are they named?A: If you specified a logging directory with the -l parameter then that is   where your files are located.  If you did not specify a logging directory   then Snort will log to /var/log/snort/.   In the past, running Snort in daemon mode (-D) produced a file named   "snort.alert".  For consistency sake, this has been changed. Running   Snort in both standard or daemon modes (-D) will produce a file named   "alert".2.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Where's a good place to physically put a Snort sensor?A:  This is going to be heavily influenced by your organizations policy, and    what you want to detect.  One way of looking at it is determining if you    want to place it inside or outside your firewall.  Placing an IDS outside    of your firewall will allow you monitor all attacks directed at your    network, regardless of whether or not they are stopped at the firewall.    This almost certainly means that the IDS will pick up on more events    than an IDS inside the firewall, and hence more logs will be generated.    Place an IDS inside your firewall if you are only interested in monitoring    traffic that your firewall let pass.  If resources permit, it may be best    to place one IDS outside and one IDS inside of your firewall.  This way    you can watch for everything directed at your network, and anything that    made it's way in.