Snort modes

From Notes_Wiki

Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Various snort modes

Snort can be used in three different modes:

  • Sniffing - -v - In this mode snort just sniffs the packets and displays relevant information on screen.
  • Logging - -l - In this mode snort logs packets in log files. We can use these log files for analysis later on. We can also use '-b' option to log in binary format (libpcap) format which can be used by wireshark / tcpdump etc.
  • Network Intrusion Detection System (NIDS) - -c {snort_configuration_file} - In this mode snort uses set of rules and inspects packets for matching rules and takes action as specified in the rules.

We can combine more than one mode together to do NIDS, logging, etc. together.


Sniffing

We can use snort in sniffer mode by using command: 

snort -v

This will display IP and TCP/UDP/ICMP headers.

If we want to see application data along with headers then we can use option '-d' 

snort -v -d    (OR snort -vd)

If we also want to see link layers headers then we can use option '-e' 

snort -vde


Logging packets

We can log packets captured by snort using '-l' switch. To log packets we can use binary format (libpcap format) so that we can later read the captured packets using tcpdump, wireshark or even snort. 

snort -l log -b

Here:

  • '-b' is to specify that logs should be created in binary format. (libpcap format). It is not necessary to specify -b if we want the logs in snort specific format which can be read by snort later on.
  • 'log' is name of log directory. This directory should be created before using the command.


Reading pcap files

To make snort process libpcap files instead of starting live capture we can use '-r' switch. 

snort -vde -r log/<log_file_name>

Here:

  • '-vde' is used to print headers on screen. They are not mandatory while reading packets from file.
  • log file can be in pcap file format or snort specific binary format.


Specifying filters

We can specify packet filters for snort in the same way we specify for wireshark or tcpdump. For example we can use 

snort -l log -b arp

to make snort log only arp packets. We can also use 

snort -l log -b 'udp and port 53'

to make snort log only DNS queries/responses.

Here:

  • '-b' is required only if log files should be generated in pcap format. We can also generate files in snort specific format which can be read only by snort.
  • 'log' is name of directory where logs will be stored. We must create this directory before running the command.


Intrusion detection

We can run snort in intrusion detection mode using: 

snort -c /etc/snort/snort.conf



Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Various snort modes

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Snort_modes&oldid=5504"