Next: 1.10 Control socket Up: 1. Snort Overview Previous: 1.8 Tunneling Protocol Support Contents
If you want to run Snort as a daemon, you can the add -D switch to any combination described in the previous sections. Please notice that if you want to be able to restart Snort by sending a SIGHUP signal to the daemon, you must specify the full path to the Snort binary when you start it, for example:
/usr/local/bin/snort -d -h 192.168.1.0/24 \
-l /var/log/snortlogs -c /usr/local/etc/snort.conf -s -D
Relative paths are not supported due to security concerns.
When Snort is run as a daemon , the daemon creates a PID file in the log directory. In Snort 2.6, the -pid-path command line switch causes Snort to write the PID file in the directory specified.
Additionally, the -create-pidfile switch can be used to force creation of a PID file even when not running in daemon mode.
The PID file will be locked so that other snort processes cannot start. Use the -nolock-pidfile switch to not lock the PID file.
If you do not wish to include the name of the interface in the PID file, use the -no-interface-pidfile switch.
If you need to dump the shared object rules stub to a directory, you must use the -dump-dynamic-rules command line option. These rule stub files are used in conjunction with the shared object rules. The path can be relative or absolute.
/usr/local/bin/snort -c /usr/local/etc/snort.conf \
--dump-dynamic-rules=/tmp
This path can also be configured in the snort.conf using the config option dump-dynamic-rules-path as follows:
config dump-dynamic-rules-path: /tmp/sorules
The path configured by command line has precedence over the one configured using dump-dynamic-rules-path.
/usr/local/bin/snort -c /usr/local/etc/snort.conf \
--dump-dynamic-rules
snort.conf:
config dump-dynamic-rules-path: /tmp/sorules
In the above mentioned scenario the dump path is set to /tmp/sorules.
If you need to post packet logs to public mailing lists, you might want to use the -O switch. This switch obfuscates your IP addresses in packet printouts. This is handy if you don't want people on the mailing list to know the IP addresses involved. You can also combine the -O switch with the -h switch to only obfuscate the IP addresses of hosts on the home network. This is useful if you don't care who sees the address of the attacking host. For example, you could use the following command to read the packets from a log file and dump them to the screen, obfuscating only the addresses from the 192.168.1.0/24 class C network:
./snort -d -v -r snort.log -O -h 192.168.1.0/24
In Snort v2.4, the -G command line option was added that specifies an instance identifier for the event logs. This option can be used when running multiple instances of snort, either on different CPUs, or on the same CPU but a different interface. Each Snort instance will use the value specified to generate unique event IDs. Users can specify either a decimal value (-G 1) or hex value preceded by 0x (-G 0x11). This is also supported via a long option -logid.
Snort can operate in three different modes namely tap (passive), inline, and inline-test. Snort policies can be configured in these three modes too.
When Snort is in Inline mode, it acts as an IPS allowing drop rules to trigger. Snort can be configured to run in inline mode using the command line argument -Q and snort config option policy_mode as follows:
snort -Q
config policy_mode:inline
When Snort is in Passive mode, it acts as a IDS. Drop rules are not loaded (without -treat-drop-as-alert). Snort can be configured to passive mode using the snort config option policy_mode as follows:
config policy_mode:tap
Inline-Test mode simulates the inline mode of snort, allowing evaluation of inline behavior without affecting traffic. The drop rules will be loaded and will be triggered as a Wdrop (Would Drop) alert. Snort can be configured to run in inline-test mode using the command line option (-enable-inline-test) or using the snort config option policy_mode as follows:
snort --enable-inline-test
config policy_mode:inline_test
|
Note:
Please note -enable-inline-test cannot be used in conjunction with -Q.
|
Behavior of different modes with rule options
| Rule Option | Inline Mode | Passive Mode | Inline-Test Mode |
| reject | Drop + Response | Alert + Response | Wdrop + Response |
| react | Blocks and send notice | Blocks and send notice | Blocks and send notice |
| normalize | Normalizes packet | Doesn't normalize | Doesn't normalize |
| replace | replace content | Doesn't replace | Doesn't replace |
| respond | close session | close session | close session |
Behavior of different modes with rules actions
| Adapter Mode | Snort args | config policy_mode | Drop Rule Handling |
| Passive | -treat-drop-as-alert | tap | Alert |
| Passive | no args | tap | Not Loaded |
| Passive | -treat-drop-as-alert | inline_test | Alert |
| Passive | no args | inline_test | Would Drop |
| Passive | -treat-drop-as-alert | inline | Alert |
| Passive | no args | inline | Not loaded + warning |
| Inline Test | -enable-inline-test -treat-drop-as-alert | tap | Alert |
| Inline Test | -enable-inline-test | tap | Would Drop |
| Inline Test | -enable-inline-test -treat-drop-as-alert | inline_test | Alert |
| Inline Test | -enable-inline-test | inline_test | Would Drop |
| Inline Test | -enable-inline-test -treat-drop-as-alert | inline | Alert |
| Inline Test | -enable-inline-test | inline | Would Drop |
| Inline | -Q -treat-drop-as-alert | tap | Alert |
| Inline | -Q | tap | Alert |
| Inline | -Q -treat-drop-as-alert | inline_test | Alert |
| Inline | -Q | inline_test | Would Drop |
| Inline | -Q -treat-drop-as-alert | inline | Alert |
| Inline | -Q | inline | Drop |