1.9 Miscellaneous

1.9.1 Running Snort as a Daemon

If you want to run Snort as a daemon, you can the add -D switch to any combination described in the previous sections. Please notice that if you want to be able to restart Snort by sending a SIGHUP signal to the daemon, you must specify the full path to the Snort binary when you start it, for example:

    /usr/local/bin/snort -d -h \
        -l /var/log/snortlogs -c /usr/local/etc/snort.conf -s -D

Relative paths are not supported due to security concerns. Snort PID File

When Snort is run as a daemon , the daemon creates a PID file in the log directory. In Snort 2.6, the -pid-path command line switch causes Snort to write the PID file in the directory specified.

Additionally, the -create-pidfile switch can be used to force creation of a PID file even when not running in daemon mode.

The PID file will be locked so that other snort processes cannot start. Use the -nolock-pidfile switch to not lock the PID file.

If you do not wish to include the name of the interface in the PID file, use the -no-interface-pidfile switch.

1.9.2 Running in Rule Stub Creation Mode

If you need to dump the shared object rules stub to a directory, you must use the -dump-dynamic-rules command line option. These rule stub files are used in conjunction with the shared object rules. The path can be relative or absolute.

    /usr/local/bin/snort -c /usr/local/etc/snort.conf \

This path can also be configured in the snort.conf using the config option dump-dynamic-rules-path as follows:

    config dump-dynamic-rules-path: /tmp/sorules

The path configured by command line has precedence over the one configured using dump-dynamic-rules-path.

    /usr/local/bin/snort -c /usr/local/etc/snort.conf \

    config dump-dynamic-rules-path: /tmp/sorules

In the above mentioned scenario the dump path is set to /tmp/sorules.

1.9.3 Obfuscating IP Address Printouts

If you need to post packet logs to public mailing lists, you might want to use the -O switch. This switch obfuscates your IP addresses in packet printouts. This is handy if you don't want people on the mailing list to know the IP addresses involved. You can also combine the -O switch with the -h switch to only obfuscate the IP addresses of hosts on the home network. This is useful if you don't care who sees the address of the attacking host. For example, you could use the following command to read the packets from a log file and dump them to the screen, obfuscating only the addresses from the class C network:

    ./snort -d -v -r snort.log -O -h

1.9.4 Specifying Multiple-Instance Identifiers

In Snort v2.4, the -G command line option was added that specifies an instance identifier for the event logs. This option can be used when running multiple instances of snort, either on different CPUs, or on the same CPU but a different interface. Each Snort instance will use the value specified to generate unique event IDs. Users can specify either a decimal value (-G 1) or hex value preceded by 0x (-G 0x11). This is also supported via a long option -logid.

1.9.5 Snort Modes

Snort can operate in three different modes namely tap (passive), inline, and inline-test. Snort policies can be configured in these three modes too. Explanation of Modes

Behavior of different modes with rule options

Rule Option Inline Mode Passive Mode Inline-Test Mode
reject Drop + Response Alert + Response Wdrop + Response
react Blocks and send notice Blocks and send notice Blocks and send notice
normalize Normalizes packet Doesn't normalize Doesn't normalize
replace replace content Doesn't replace Doesn't replace
respond close session close session close session

Behavior of different modes with rules actions

Adapter Mode Snort args config policy_mode Drop Rule Handling
Passive -treat-drop-as-alert tap Alert
Passive no args tap Not Loaded
Passive -treat-drop-as-alert inline_test Alert
Passive no args inline_test Would Drop
Passive -treat-drop-as-alert inline Alert
Passive no args inline Not loaded + warning
Inline Test -enable-inline-test -treat-drop-as-alert tap Alert
Inline Test -enable-inline-test tap Would Drop
Inline Test -enable-inline-test -treat-drop-as-alert inline_test Alert
Inline Test -enable-inline-test inline_test Would Drop
Inline Test -enable-inline-test -treat-drop-as-alert inline Alert
Inline Test -enable-inline-test inline Would Drop
Inline -Q -treat-drop-as-alert tap Alert
Inline -Q tap Alert
Inline -Q -treat-drop-as-alert inline_test Alert
Inline -Q inline_test Would Drop
Inline -Q -treat-drop-as-alert inline Alert
Inline -Q inline Drop