Snort Version 1.6

by Martin Roesch (roesch@clark.net)

Distribution Site:
http://www.clark.net/~roesch/security.html 

Alternate Sites:

US:
http://www.technotronic.com
http://packetstorm.securify.com
http://snort.whitehats.com

Europe:
http://gd.tuwien.ac.at/infosys/security/snort
ftp://gd.tuwien.ac.at/infosys/security/snort
http://www.centus.com/snort/security.html

South America:
http://snort.safenetworks.com

Austrailia:
ftp://the.wiretapped.net/pub/security/network-intrusion-detection/snort


Distributed with:
Trinux <http://www.trinux.org>
Debian Linux <http://www.debian.org>
NetBSD <http://www.netbsd.org>
Others?

******************************************************************************
COPYRIGHT

Copyright (C)1998,1999,2000 Martin Roesch

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

Some of this code has been taken from tcpdump, which was developed
by the Network Research Group at Lawrence Berkeley National Lab,
and is copyrighted by the University of California Regents.

******************************************************************************

DESCRIPTION

Snort is a libpcap-based packet sniffer/logger which can be used as a 
lightweight network intrusion detection system. It features rules based logging
and can perform content searching/matching in addition to being used to detect 
a variety of other attacks and probes, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting 
capabilty, with alerts being sent to syslog, a seperate "alert" file, or even
to a Windows computer via Samba.  

Packets are logged in either tcpdump binary format or their decoded form to
directories which are generated based upon the IP address of the remote peer.
This allows Snort to be used as a sort of "poor man's intrusion detection
system" if you specify what traffic you want to record and what to let through.

Snort has grown quite a bit since the initial release over a year ago and
now subsumes the major portions of the functionality of commercial network
intrusion detection systems like NetRanger and ISS RealSecure.  Development
has accelerated over the past four months due to contributions from the Open
Source community!

As of version 1.5, there is major new functionality!  Detection and
preprocessing plugins, session logging, rules file variables and includes, five
new network layer decoders including ISDN and Token Ring support, new detection 
functionality, and a bunch of other cool stuff.  Check out the ChangeLog for 
the full list.


******************************************************************************

[*][USAGE]

Command line: 

	snort -[options] <filters>

Options:

	-A <alert>	Set <alert> mode to full, fast or none.  Full mode
			does normal "classic Snort"-style alerts to the alert
			file.  Fast mode just writes the timestamp, message, 
			IPs, and ports to the file.  None turns off alerting.
			As of version 1.5 there is experimental support for
			CyberPsychotic's UnixSock alert modifications to Snort
			that allow alerting to a sepreate process.  Use the 
			"unsock" argument to activate this feature.

	-a		Display ARP packets

	-b		Log packets in tcpdump format.  All packets are logged
			in their native binary state to a tcpdump formatted 
			log file called "snort.log".  This option results in
			much faster operation of the program since it doesn't
			have to spend time in the packet binary->text
			converters.  Snort can keep up pretty well with 100Mbps
			networks in "-b" mode.

	-c <cf>		Use configuration file <cf>.  This is the rules file
			which tells the system what to log, alert on, or pass!

	-C 		Dump the ASCII characters in packet payloads only, no
			hexdump!

	-d		Dump the application layer data

	-D		Run Snort in daemon mode.  Alerts are sent to
                        /var/log/snort.alert unless otherwise specified.

	-e		Display/log the layer 2 packet header data

	-F <bpf>	Read BPF filters from file <bpf>.  Handy for those of
			you running Snort as a SHADOW replacement or with a
			love of super complex BPF filters.

	-h <hn>		Set the "home network" to <hn>, which is a class C IP 
			address something like 192.168.1.0 or whatever.  If you
			use this switch, traffic coming from external networks
			will be formatted with the directional arrow of the 
			packet dump pointing right for incoming external 
			traffic, and left for outgoing internal traffic.  Kind
			of silly, but it looks nice.

	-i <if>		Use network interface <if>.  

	-l <ld>		Log packets to directory <ld>.  Sets up a hierarchical
			directory structure with the log directory as the base
			starting directory, and the IP address of the remote
			peer generating traffic as the directory which packets
			packets from that adress are stored in.

	-M <wkstn>	Send WinPopup messages to the list of workstations
			contained in the <wkstn> file.  This option requires
			Samba to be resident and in the path of the machine
			running Snort.  The workstation file is simple: each
			line of the file containes the SMB name of the box to
			send the message to (no \\'s needed).

	-n <num>	Exit after processing <num> packets.

	-N 		Turn off logging.  Alerts still function normally.

	-o              Change the order in which the rules are applied to 
	                packets.  Instead of being applied in the standard
			Alert->Pass->Log order, this will apply them in 
			Pass->Alert->Log order, allowing people to avoid having
			to make huge BPF command line arguments to filter their
			alert rules.  User requested.

	-p		Turn off promiscuous mode sniffing.  Useful for places
			where that can screw up your network severely.

	-r <tf>		Read the tcpdump-generated file <tf>.  This will cause
			Snort to read and process the file fed to it.  This is
			useful if, for instance, you've got a bunch of Shadow
			files that you want to process for content, or even if
			you've got a bunch of reassembled packet fragments
			which have been written into a tcpdump formatted file.

	-s              Log alert messages to the syslog.  On linux boxen, they
	                will appear in /var/log/secure, /var/log/messages on
                        many other platforms.

	-S <n=v>	Set variable name "n" to value "v".  This is useful for
			setting the value of a defined variable name in a Snort
			rules file to a command line specified value.  For
			instance, if you define a HOME_NET variable name inside
			of a Snort rules file, you can set this value from
			it's predefined value at the command line.

	-v		Be verbose.  Prints packets out to the console.  There
                        is one big problem with verbose mode: it's still kind
                        of slow.  If you are doing IDS work with Snort, don't
                        use the -v switch, you WILL drop packets (not many, but
                        some).

	-V		Show the version number and exit.

	-x		Show an annoying little message whenever you see an 
			annoying IPX packet.

	-?		Show the usage summary and exit.


[*][FILTERS]:

     The "filters" are standard BPF style filters as seen in TCPDump.  Look
at the man page for TCPDump for docs on how to use it properly.  In general,
you can give it a host, net or protocol to filter on and some logical statements
to tie it together and get the specific traffic you're interested in.  For 
example:

[zeus ~]# ./snort -h 192.168.1.0/24 -d -v host 192.168.1.1

records the traffic to and from host 192.168.1.1.

[zeus ~]# ./snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1

records all traffic on the 192.168.1.0/24 class C subnet, but not traffic 
to/from 192.168.1.1.  Notice that the command line data specified after the
"-h" switch is formated differently from the BPF commands provided at the end 
of the command line.  Sorry for the confusion, but I like the CIDR notation and
I'm not rewriting libpcap to make it consistent!  Anyway, you get the picture.
Mail me if you have trouble with it.

As of version 1.3, you can use the -F switch to read your BPF filters in from
a file.  


[*][RULES]:
      
-------------------------------------------------------------------------
NOTE: The "official" rules document these days is available at:

http://www.clark.net/~roesch/snort_rules.html

The information in RULES.SAMPLE is still valid, but the easiest to read 
document is at the web site.
-------------------------------------------------------------------------

The rules formats are fairly simple for now and are covered in the 
"RULES.SAMPLE" file included in the distribution.  Please look there for 
complete explainations of how the rules system works.

     The Alerts which are generated by the system are logged to a file named
(suprisingly enough) "alert".  You can use something like "rt" or just "tail -f"
it to give a running display of system alerts.  Alerts can also be sent to 
syslog (and monitored with something like swatch), or they can be sent out as 
WinPopup messages with smbclient.  Check out the "INSTALL" file for information
on enabling the SMB alerting option.

     Note that the system requires the use of the "-l" flag to redirect rules 
based logging to a specific directory.  If you don't specify a place for it to
go, it goes into /var/log/snort.


Rules are applied in the order in which they're entered in their class.  In
other words, the Alert rules are applied in the order they're read out of the 
rules file, and so on for Log and Pass rules.


******************************************************************************
