Pick a Free OS

User login

Navigation

Intrusion Detection System Part 3: Snort

-n Exit after receiving packets

-N Turn off logging (alerts still work)

-o Change the rule testing order to Pass|Alert|Log

-O Obfuscate the logged IP addresses

-p Disable promiscuous mode sniffing

-P set explicit snaplen of packet (default: 1514)

-q Quiet. Don't show banner and status report

-r Read and process tcpdump file

-s Log alert messages to syslog

-S Set rules file variable n equal to value v

-t Chroots process to after initialisaton

-u Run snort uid as 'uname' user (or uid) after initialization

-v Be verbose

-V Show version number

-? Show this information

are standard BPF options, as seen in TCPDump

Let's check out the next command wherein we set Snort to a verbose display of the packets sniffed and analyzed. The '-v' switch elicits a verbose response to Stdout. The '-d' switch elicits dumping the decoded application layer data and while '-e' shows the decoded ethernet headers. The '-i' switch specifies the interface to be monitored for packet analysis. The '-h' switch specifies which class of network packets has to be captured. e.g. - The command given below captures all the packets belonging to the class C internal IP's of the type 192.168.1.*.

freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24

If we wanted to generate alerts, the '-A' switch is of importance to us.

-A - Alert using the specified alert-mode. Valid alert modes include 'fast', 'full', 'none', and 'unsock'. Fast, writes alerts to the default 'alert' file in a single-line, syslog style alert message. Full, writes the alert to the 'alert' file with the full decoded header as well as the alert message. The command will then change to the following.

freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24 -A fast

Instead, if you wanted to send alert messages to the syslog daemon, you could use the '-s' switch instead.

-s - Send alert messages to Syslog. On Linux boxes, they will appear in /var/log/secure or /var/log/messages on many other platforms.