Next:
1. Snort Overview
Up:
SNORTUsers Manual 2.9.16
Previous:
SNORTUsers Manual 2.9.16
Contents
1. Snort Overview
1.1 Getting Started
1.2 Sniffer Mode
1.3 Packet Logger Mode
1.4 Network Intrusion Detection System Mode
1.4.1 NIDS Mode Output Options
1.4.2 Understanding Standard Alert Output
1.4.3 High Performance Configuration
1.4.4 Changing Alert Order
1.5 Packet Acquisition
1.5.1 Configuration
1.5.2 pcap
1.5.3 AFPACKET
1.5.4 NFQ
1.5.5 IPQ
1.5.6 IPFW
1.5.7 Dump
1.5.8 Statistics Changes
1.6 Reading pcap files
1.6.1 Command line arguments
1.6.2 Examples
1.7 Basic Output
1.7.1 Timing Statistics
1.7.2 Packet I/O Totals
1.7.3 Protocol Statistics
1.7.4 Snort Memory Statistics
1.7.5 Actions, Limits, and Verdicts
1.8 Tunneling Protocol Support
1.8.1 Multiple Encapsulations
1.8.2 Logging
1.9 Miscellaneous
1.9.1 Running Snort as a Daemon
1.9.2 Running in Rule Stub Creation Mode
1.9.3 Obfuscating IP Address Printouts
1.9.4 Specifying Multiple-Instance Identifiers
1.9.5 Snort Modes
1.10 Control socket
1.11 Configure signal value
1.12 More Information
2. Configuring Snort
2.1 Includes
2.1.1 Format
2.1.2 Variables
2.1.3 Config
2.2 Preprocessors
2.2.1 Frag3
2.2.2 Session
2.2.3 Stream
2.2.4 sfPortscan
2.2.5 RPC Decode
2.2.6 Performance Monitor
2.2.7 HTTP Inspect
2.2.8 SMTP Preprocessor
2.2.9 POP Preprocessor
2.2.10 IMAP Preprocessor
2.2.11 FTP/Telnet Preprocessor
2.2.12 SSH
2.2.13 DNS
2.2.14 SSL/TLS
2.2.15 ARP Spoof Preprocessor
2.2.16 DCE/RPC 2 Preprocessor
2.2.17 Sensitive Data Preprocessor
2.2.18 Normalizer
2.2.19 SIP Preprocessor
2.2.20 Reputation Preprocessor
2.2.21 GTP Decoder and Preprocessor
2.2.22 Modbus Preprocessor
2.2.23 DNP3 Preprocessor
2.2.24 AppId Preprocessor
2.3 Decoder and Preprocessor Rules
2.3.1 Configuring
2.3.2 Reverting to original behavior
2.4 Event Processing
2.4.1 Rate Filtering
2.4.2 Event Filtering
2.4.3 Event Suppression
2.4.4 Event Logging
2.4.5 Event Trace
2.5 Performance Profiling
2.5.1 Rule Profiling
2.5.2 Preprocessor Profiling
2.5.3 Packet Performance Monitoring (PPM)
2.6 Output Modules
2.6.1 alert_syslog
2.6.2 alert_fast
2.6.3 alert_full
2.6.4 alert_unixsock
2.6.5 log_tcpdump
2.6.6 csv
2.6.7 unified 2
2.6.8 log null
2.6.9 Log Limits
2.7 Host Attribute Table
2.7.1 Rule evaluation
2.7.2 Snort Configuration
2.7.3 Host Attribute Table File Format
2.7.4 Attribute Table Example
2.7.5 Attribute Table Affect on preprocessors
2.8 Dynamic Modules
2.8.1 Format
2.8.2 Directives
2.9 Reloading a Snort Configuration
2.9.1 Enabling support
2.9.2 Reloading a configuration
2.9.3 Non-reloadable configuration options
2.10 Multiple Configurations
2.10.1 Creating Multiple Configurations
2.10.2 Configuration Specific Elements
2.10.3 How Configuration is applied?
2.11 Active Response
2.11.1 Enabling Active Response
2.11.2 Configure Sniping
2.11.3 Flexresp
2.11.4 React
2.11.5 Rule Actions
3. Writing Snort Rules
3.1 The Basics
3.2 Rules Headers
3.2.1 Rule Actions
3.2.2 Protocols
3.2.3 IP Addresses
3.2.4 Port Numbers
3.2.5 The Direction Operator
3.2.6 Activate/Dynamic Rules
3.3 Rule Options
3.4 General Rule Options
3.4.1 msg
3.4.2 reference
3.4.3 gid
3.4.4 sid
3.4.5 rev
3.4.6 classtype
3.4.7 priority
3.4.8 metadata
3.4.9 General Rule Quick Reference
3.5 Payload Detection Rule Options
3.5.1 content
3.5.2 protected_content
3.5.3 hash
3.5.4 length
3.5.5 nocase
3.5.6 rawbytes
3.5.7 depth
3.5.8 offset
3.5.9 distance
3.5.10 within
3.5.11 http_client_body
3.5.12 http_cookie
3.5.13 http_raw_cookie
3.5.14 http_header
3.5.15 http_raw_header
3.5.16 http_method
3.5.17 http_uri
3.5.18 http_raw_uri
3.5.19 http_stat_code
3.5.20 http_stat_msg
3.5.21 http_encode
3.5.22 fast_pattern
3.5.23 uricontent
3.5.24 urilen
3.5.25 isdataat
3.5.26 pcre
3.5.27 pkt_data
3.5.28 file_data
3.5.29 base64_decode
3.5.30 base64_data
3.5.31 byte_test
3.5.32 byte_jump
3.5.33 byte_extract
3.5.34 byte_math
3.5.35 ftpbounce
3.5.36 asn1
3.5.37 cvs
3.5.38 dce_iface
3.5.39 dce_opnum
3.5.40 dce_stub_data
3.5.41 sip_method
3.5.42 sip_stat_code
3.5.43 sip_header
3.5.44 sip_body
3.5.45 gtp_type
3.5.46 gtp_info
3.5.47 gtp_version
3.5.48 ssl_version
3.5.49 ssl_state
3.5.50 Payload Detection Quick Reference
3.6 Non-Payload Detection Rule Options
3.6.1 fragoffset
3.6.2 ttl
3.6.3 tos
3.6.4 id
3.6.5 ipopts
3.6.6 fragbits
3.6.7 dsize
3.6.8 flags
3.6.9 flow
3.6.10 flowbits
3.6.11 seq
3.6.12 ack
3.6.13 window
3.6.14 itype
3.6.15 icode
3.6.16 icmp_id
3.6.17 icmp_seq
3.6.18 rpc
3.6.19 ip_proto
3.6.20 sameip
3.6.21 stream_reassemble
3.6.22 stream_size
3.6.23 Non-Payload Detection Quick Reference
3.7 Post-Detection Rule Options
3.7.1 logto
3.7.2 session
3.7.3 resp
3.7.4 react
3.7.5 tag
3.7.6 replace
3.7.7 detection_filter
3.7.8 Post-Detection Quick Reference
3.8 Rule Thresholds
3.9 Writing Good Rules
3.9.1 Content Matching
3.9.2 Catch the Vulnerability, Not the Exploit
3.9.3 Catch the Oddities of the Protocol in the Rule
3.9.4 Optimizing Rules
3.9.5 Testing Numerical Values
4. Dynamic Modules
4.1 Data Structures
4.1.1 DynamicPluginMeta
4.1.2 DynamicPreprocessorData
4.1.3 DynamicEngineData
4.1.4 SFSnortPacket
4.1.5 Dynamic Rules
4.2 Required Functions
4.2.1 Preprocessors
4.2.2 Detection Engine
4.2.3 Rules
4.3 Examples
4.3.1 Preprocessor Example
4.3.2 Rules
5. Snort Development
5.1 Submitting Patches
5.2 Snort Data Flow
5.2.1 Preprocessors
5.2.2 Detection Plugins
5.2.3 Output Plugins
5.3 Unified2 File Format
5.3.1 Serial Unified2 Header
5.3.2 Unified2 Packet
5.3.3 Unified2 IDS Event
5.3.4 Unified2 IDS Event IP6
5.3.5 Unified2 IDS Event (Version 2)
5.3.6 Unified2 IDS Event IP6 (Version 2)
5.3.7 Unified2 Extra Data
5.3.8 Description of Fields
5.4 Buffer dump utility
5.4.1 Example Buffer Dump output
5.5 The Snort Team
Bibliography
