Next:
1. Snort Overview
Up:
Snort
TM
Users Manual 2.3.3
Previous:
Snort
TM
Users Manual 2.3.3
Contents
1. Snort Overview
1.1 Getting Started
1.2 Sniffer Mode
1.3 Packet Logger Mode
1.4 Network Intrusion Detection Mode
1.4.1 NIDS Mode Output Options
1.4.2 Understanding Standard Alert Output
1.4.3 High Performance Configuration
1.4.4 Changing Alert Order
1.5 Inline Mode
1.5.1 Snort Inline Rule Application Order
1.5.2 New STREAM4 Options for Use with Snort Inline
1.5.3 Replacing Packets with Snort Inline
1.5.4 Installing Snort Inline
1.5.5 Running Snort Inline
1.5.6 Using the Honeynet Snort Inline Toolkit
1.5.7 Troubleshooting Snort Inline
1.6 Miscellaneous
1.7 More Information
2. Configuring Snort
2.0.1 Includes
2.0.2 Variables
2.0.3 Config
2.1 Preprocessors
2.1.1 Portscan Detector
2.1.2 Portscan Ignorehosts
2.1.3 sfPortscan
2.1.4 Frag2
2.1.5 Stream4
2.1.6 Flow
2.1.7 Flow-Portscan
2.1.8 Telnet Decode
2.1.9 RPC Decode
2.1.10 Performance Monitor
2.1.11 HTTP Inspect
2.1.12 ASN.1 Detection
2.1.13 X-Link2State Mini-Preprocessor
2.2 Event Thresholding
2.2.1 Standalone Options
2.2.2 Standalone Format
2.2.3 Rule Keyword Format
2.2.4 Rule Keyword Format
2.2.5 Examples
2.3 Event Suppression
2.3.1 Format
2.3.2 Examples
2.4 Snort Multi-Event Logging (Event Queue)
2.4.1 Event Queue Configuration Options
2.4.2 Event Queue Configuration Examples
2.5 Output Modules
2.5.1 alert_syslog
2.5.2 alert_fast
2.5.3 alert_full
2.5.4 alert_unixsock
2.5.5 log_tcpdump
2.5.6 database
2.5.7 csv
2.5.8 unified
2.5.9 log null
3. Writing Snort Rules How to Write Snort Rules and Keep Your Sanity
3.1 The Basics
3.2 Rules Headers
3.2.1 Rule Actions
3.2.2 Protocols
3.2.3 IP Addresses
3.2.4 Port Numbers
3.2.5 The Direction Operator
3.2.6 Activate/Dynamic Rules
3.3 Rule Options
3.4 Meta-Data Rule Options
3.4.1 msg
3.4.2 reference
3.4.3 sid
3.4.4 rev
3.4.5 classtype
3.4.6 Priority
3.5 Payload Detection Rule Options
3.5.1 content
3.5.2 nocase
3.5.3 rawbytes
3.5.4 depth
3.5.5 offset
3.5.6 distance
3.5.7 within
3.5.8 uricontent
3.5.9 isdataat
3.5.10 pcre
3.5.11 byte_test
3.5.12 byte_jump
3.5.13 regex
3.5.14 content-list
3.6 Non-payload Detection Rule Options
3.6.1 fragoffset
3.6.2 ttl
3.6.3 tos
3.6.4 id
3.6.5 ipopts
3.6.6 fragbits
3.6.7 dsize
3.6.8 flags
3.6.9 flow
3.6.10 flowbits
3.6.11 seq
3.6.12 ack
3.6.13 window
3.6.14 itype
3.6.15 icode
3.6.16 icmp_id
3.6.17 icmp_seq
3.6.18 rpc
3.6.19 ip_proto
3.6.20 sameip
3.7 Post-Detection Rule Options
3.7.1 logto
3.7.2 session
3.7.3 resp
3.7.4 React
3.7.5 tag
3.8 Writing Good Rules
3.8.1 Content Matching
3.8.2 Catch the Vulnerability, Not the Exploit
3.8.3 Catch the Oddities of the Protocol in the Rule
3.8.4 Optimizing Rules
3.8.5 testing numerical values
4. Making Snort Faster
4.1 MMAPed pcap
5. Snort Development
5.1 Submitting Patches
5.2 Snort dataflow
5.2.1 Preprocessors
5.2.2 Detection Plugins
5.2.3 Output Plugins
5.3 The Snort Team
Bibliography