To enable Network Intrusion Detection (NIDS) mode so that you don't record every single packet sent down the wire, try this:
./snort -dev -l ./log -h 192.168.1.0/24 -c snort.confwhere snort.conf is the name of your rules file. This will apply the rules configured in the
snort.conf
file to each packet to decide if an action
based upon the rule type in the file should be taken. If you don't
specify an output directory for the program, it will default to /var/log/snort
.
One thing to note about the last command line is that if Snort is going to be used in a long term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display.
It's also not necessary to record the data link headers for most applications, so you can usually omit the -e switch, too.
./snort -d -h 192.168.1.0/24 -l ./log -c snort.confThis will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode).
There are a number of ways to configure the output of Snort in NIDS mode. The default logging and alerting mechanisms are to log in decoded ASCII format and use full alerts. The full alert mechanism prints out the alert message in addition to the full packet headers. There are several other alert output modes available at the command line, as well as two logging facilities.
Alert modes are somewhat more complex. There are seven alert modes available at the command line: full, fast, socket, syslog, console, cmg, and none. Six of these modes are accessed with the -A command line switch. These options are:
Option | Description |
-A fast | Fast alert mode. Writes the alert in a simple format with a timestamp, alert message, source and destination IPs/ports. |
-A full | Full alert mode. This is the default alert mode and will be used automatically if you do not specify a mode. |
-A unsock | Sends alerts to a UNIX socket that another program can listen on. |
-A none | Turns off alerting. |
-A console | Sends ``fast-style'' alerts to the console (screen). |
-A cmg | Generates ``cmg style'' alerts. |
Packets can be logged to their default decoded ASCII format or to a binary log file via the -b command line switch. To disable packet logging altogether, use the -N command line switch.
For output modes available through the configuration file, see Section
.
NOTE
To send alerts to syslog, use the -s switch. The default facilities
for the syslog alerting mechanism are LOG_AUTHPRIV and LOG_ALERT.
If you want to configure other facilities for syslog output, use the
output plugin directives in the rules files. See Section
for more details on configuring syslog output.
For example, use the following command line to log to default (decoded ASCII) facility and send alerts to syslog:
./snort -c snort.conf -l ./log -h 192.168.1.0/24 -s
As another example, use the following command line to log to the default facility in /var/log/snort and send alerts to a fast alert file:
./snort -c snort.conf -A fast -h 192.168.1.0/24
When Snort generates an alert message, it will usually look like the following:
[**] [116:56:1] (snort_decoder): T/TCP Detected [**]
The first number is the Generator ID, this tells the user what component of Snort generated this alert. For a list of GIDs, please read etc/generators in the Snort source. In this case, we know that this event came from the ``decode'' (116) component of Snort.
The second number is the Snort ID (sometimes referred to as Signature ID). For a list of preprocessor SIDs, please see etc/gen-msg.map. Rule-based SIDs are written directly into the rules with the "sid" option. In this case, ``56'' represents a T/TCP event.
The third number is the revision ID. This number is primarily used when writing signatures, as each rendition of the rule should increment this number with the ``rev'' option.
If you want Snort to go fast (like keep up with a 1000 Mbps connection), you need to use unified logging and a unified log reader such as barnyard. This allows Snort to log alerts in a binary form as fast as possible while another program performs the slow actions, such as writing to a database.
If you want a text file that's easily parsable, but still somewhat fast, try using binary logging with the ``fast'' output mechanism.
This will log packets in tcpdump format and produce minimal alerts. For example:
./snort -b -A fast -c snort.conf
The default way in which Snort applies its rules to packets may not be
appropriate for all installations. The Alert rules are applied first, then the
Pass rules, and finally, Log rules are applied. This sequence is somewhat
counterintuitive, but it's a more foolproof method than allowing a user to
write a hundred alert rules that are then disabled by an errant pass rule. For
more information on rule types, see Section .
If you know what you're doing, you can use the -o switch to change the default rule application behavior to apply Pass rules, then Alert rules, then Log rules:
./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf -o