% $Id: snort_manual.tex,v 1.89 2007/06/01 13:58:12 ssturges Exp $% % BUILDING HTML VERSION:% latex2html -info 0 -local_icons -show_section_numbers -link +2 -split +2 -noaddress snort_manual.tex%% BUILDING PDF VERSION:% pdflatex snort_manual.tex\documentclass[english]{report}%\usepackage[T1]{fontenc}\usepackage[latin1]{inputenc}\usepackage{geometry}\usepackage{longtable}\geometry{verbose,letterpaper,tmargin=1in,bmargin=.5in,lmargin=1in,rmargin=1in}\IfFileExists{url.sty}{\usepackage{url}}                      {\newcommand{\url}{\texttt}}\usepackage{html}% \makeatletter\newcounter{slistnum}\newcounter{subslistnum}\newcounter{subsublistnum}\newenvironment{slist}{ \begin{list}{ {\bf \arabic{slistnum}.} }{\usecounter{slistnum} } }{ \end{list} }\newenvironment{subslist}{ \begin{list} { {\bf \arabic{slistnum}-\Alph{subslistnum}. } }        {\usecounter{subslistnum} }   }{ \end{list} }\newenvironment{subsubslist} {    \begin{list}{        {\bf \arabic{slistnum}-\arabic{subslistnum}-\arabic{subsublistnum}. }    }{        \usecounter{subsubslistnum}    }}{    \end{list}}%\begin{latexonly}\newsavebox{\savepar}\newenvironment{note}{\samepage    \vspace{10pt}{\textsf{        {\hspace{7pt}\Huge{$\triangle$\hspace{-12.5pt}{\Large{$^!$}}}}\hspace{5pt}        {\Large{NOTE}}    }    }   \begin{center}    \par\vspace{-17pt}    \begin{lrbox}{\savepar}    \begin{minipage}[r]{6in}}{    \end{minipage}    \end{lrbox}    \fbox{        \usebox{            \savepar	}    }    \par\vskip10pt    \end{center}}%\end{latexonly}\begin{htmlonly}\newenvironment{note}{        \begin{rawhtml}        <p><table border="1"><tr><td><b>        Note:&nbsp;&nbsp;</b>        \end{rawhtml}}{        \begin{rawhtml}        </b></td></tr></table></p>        \end{rawhtml}}\end{htmlonly}\usepackage{babel}% \makeatother\addtolength{\parindent}{-5mm}\addtolength{\parskip}{2mm}%\renewcommand\floatpagefraction{.9}%\renewcommand\topfraction{.9}%\renewcommand\bottomfraction{.9}%\renewcommand\textfraction{.1}   %\setcounter{totalnumber}{50}%\setcounter{topnumber}{50}%\setcounter{bottomnumber}{50}\begin{document}\title{Snort\texttrademark  Users Manual\\  2.7.0 }\author{The Snort Project}\maketitle\newpageCopyright \copyright 1998-2003 Martin RoeschCopyright \copyright 2001-2003 Chris GreenCopyright \copyright 2003-2006 Sourcefire, Inc.\tableofcontents{}\chapter{Snort Overview}This manual is based on \emph{Writing Snort Rules} by Martin Roesch and furtherwork from Chris Green $<$cmg@snort.org$>$.  It is now maintained by BrianCaswell $<$bmc@snort.org$>$.  If you have a better way to say something or findthat something in the documentation is outdated, drop us a line and we willupdate it.  If you would like to submit patches for this document, you can findthe latest version of the documentation in \LaTeX\ format in the Snort CVSrepository at \verb!/doc/snort_manual.tex!.  Small documentation updates arethe easiest way to help out the Snort Project.\section{Getting Started}Snort really isn't very hard to use, but there are a lot of command lineoptions to play with, and it's not always obvious which ones go together well.This file aims to make using Snort easier for new users.Before we proceed, there are a few basic concepts you should understand aboutSnort. Snort can be configured to run in three modes:\begin{itemize}\item {\em Sniffer mode,} which simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen). \item {\em Packet Logger mode,} which logs the packets to disk. \item {\em Network Intrusion Detection System (NIDS) mode,} the most complex and configurable configuration,which allows Snort to analyze network traffic for matches against a user-definedrule set and performs several actions based upon what it sees.\item {\em Inline mode,} which obtains packets from iptables instead of from libpcap and thencauses iptables to drop or pass packets based on Snort rules that use inline-specific rule types.\end{itemize}\section{Sniffer Mode}First, let's start with the basics. If you just want to print outthe TCP/IP packet headers to the screen (i.e. sniffer mode), try this:\begin{verbatim}./snort -v\end{verbatim}This command will run Snort and just show the IP and TCP/UDP/ICMPheaders, nothing else. If you want to see the application data intransit, try the following:\begin{verbatim}./snort -vd\end{verbatim}This instructs Snort to display the packet data as well as the headers.If you want an even more descriptive display, showing the data linklayer headers, do this:\begin{verbatim}./snort -vde\end{verbatim}(As an aside, these switches may be divided up or smashed togetherin any combination. The last command could also be typed out as:\begin{verbatim}./snort -d -v -e\end{verbatim}and it would do the same thing.)\section{Packet Logger Mode}OK, all of these commands are pretty cool, but if you want to recordthe packets to the disk, you need to specify a logging directory andSnort will automatically know to go into packet logger mode:\begin{verbatim}./snort -dev -l ./log\end{verbatim}Of course, this assumes you have a directory named \verb!log!in the current directory. If you don't, Snort will exit with an errormessage. When Snort runs in this mode, it collects every packet itsees and places it in a directory hierarchy based upon the IP addressof one of the hosts in the datagram.If you just specify a plain -l switch, you maynotice that Snort sometimes uses the address of the remote computeras the directory in which it places packets and sometimes it usesthe local host address. In order to log relative to the home network,you need to tell Snort which network is the home network:\begin{verbatim}./snort -dev -l ./log -h 192.168.1.0/24\end{verbatim}This rule tells Snort that you want to print out the data link andTCP/IP headers as well as application data into the directory \verb!./log!,and you want to log the packets relative to the 192.168.1.0 classC network. All incoming packets will be recorded into subdirectoriesof the log directory, with the directory names being based on theaddress of the remote (non-192.168.1) host. \begin{note}Note that if both the source and destination hosts are on the home network, they are logged to a directory with a name based on the higher of the two port numbers or, in the case of a tie, the source address.\end{note}If you're on a high speed network or you want to log the packets intoa more compact form for later analysis, you should consider loggingin binary mode. Binary mode logs the packets intcpdump format to a single binary file in thelogging directory:\begin{verbatim}./snort -l ./log -b\end{verbatim}Note the command line changes here. We don't need to specify a homenetwork any longer because binary mode logs everything into a singlefile, which eliminates the need to tell it how to format the outputdirectory structure. Additionally, you don't need to run in verbosemode or specify the -d or -e switches because in binary mode the entirepacket is logged, not just sections of it. All you really need to doto place Snort into logger mode is to specify a loggingdirectory at the command line using the -l switch---the -b binary loggingswitch merely provides a modifier that tells Snort to log the packets insomething other than the default output format of plain ASCII text.Once the packets have been logged to the binary file, you can readthe packets back out of the file with any sniffer that supports thetcpdump binary format (such as tcpdump or Ethereal). Snort can alsoread the packets back by using the -r switch, which puts it into playbackmode. Packets from any tcpdump formatted file can be processed throughSnort in any of its run modes. For example, if you wanted to run abinary log file through Snort in sniffer mode to dump the packetsto the screen, you can try something like this:\begin{verbatim}./snort -dv -r packet.log\end{verbatim}You can manipulate the data in the file in a number of ways throughSnort's packet logging and intrusion detection modes, as well as withthe BPF interface that's available from the command line. For example,if you only wanted to see the ICMP packets from the log file, simplyspecify a BPF filter at the command line and Snort will only seethe ICMP packets in the file:\begin{verbatim}./snort -dvr packet.log icmp \end{verbatim}For more info on how to use the BPF interface, read the Snort andtcpdump man pages.\section{Network Intrusion Detection System Mode}To enable Network Intrusion Detection System (NIDS) mode so that you don'trecord every single packet sent down the wire, try this:\begin{verbatim}./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf\end{verbatim}where \texttt{snort.conf} is the name of your rules file. This will apply therules configured in the \verb!snort.conf! file to each packet to decide if an actionbased upon the rule type in the file should be taken. If you don'tspecify an output directory for the program, it will default to \verb!/var/log/snort!.One thing to note about the last command line is that if Snort isgoing to be used in a long term way as an IDS, the -vswitch should be left off the command line for the sake of speed.The screen is a slow place to write data to, and packets can be droppedwhile writing to the display.It's also not necessary to record the data link headers for most applications,so you can usually omit the -e switch, too.\begin{verbatim}./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf\end{verbatim}This will configure Snort to run in its most basic NIDS form, loggingpackets that trigger rules specified in the \texttt{snort.conf} in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode).