Source : https://www.snort.org/
snort command added to $PATH
Community Rules preloaded (not updated automatically)
config files in /opt/SNORT/etc
no auto launch, need to be set by yourself withing /opt/SNORT/SNORT.sh
Free and lightweight network intrusion detection system (NIDS) software (Command line tool)
Code : Tout sélectionner
Usage : [~] # snort --help ,,_ -*> Snort! <*- o" )~ Version 126.96.36.199 GRE (Build 268) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.0-PRE-GIT (with TPACKET_V3) Using PCRE version: 8.42 2018-03-20 Using ZLIB version: 1.2.11 USAGE: snort [-options] Options: -A Set alert mode: fast, full, console, test or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). -b Log packets in tcpdump format (much faster!) -B Obfuscated IP addresses in alerts and packet dumps using CIDR mask -c Use Rules File -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -f Turn off fflush() calls after binary log writes -F Read BPF filters from file -g Run snort gid as group (or gid) after initialization -G <0xid> Log Identifier (to uniquely id events for multiple snorts) -h Set home network = (for use with -l or -B, does NOT change $HOME_NET in IDS mode) -H Make hash tables deterministic. -i Listen on interface -I Add Interface name to alert output -k Checksum mode (all,noip,notcp,noudp,noicmp,none) -K Logging mode (pcap[default],ascii,none) -l Log to directory -L Log to this tcpdump file -M Log messages to syslog (not alerts) -m Set umask = -n Exit after receiving packets -N Turn off logging (alerts still work) -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -Q Enable inline mode operation. -r Read and process tcpdump file -R Include 'id' in snort_intf.pid file name -s Log alert messages to syslog -S Set rules file variable n equal to value v -t Chroots process to after initialization -T Test and report on the current Snort configuration -u Run snort uid as user (or uid) after initialization -U Use UTC for timestamps -v Be verbose -V Show version number -X Dump the raw packet data starting at the link layer -x Exit if Snort configuration problems occur -y Include year in timestamp in the alert and log files -Z Set the performonitor preprocessor file path and name -? Show this information are standard BPF options, as seen in TCPDump Longname options and their corresponding single char version --logid <0xid> Same as -G --perfmon-file Same as -Z --pid-path Specify the directory for the Snort PID file --snaplen Same as -P --help Same as -? --version Same as -V --alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,... --treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup --treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline. --process-all-events Process all queued events (drop, alert,...), default stops after 1st action group --enable-inline-test Enable Inline-Test Mode Operation --dynamic-engine-lib Load a dynamic detection engine --dynamic-engine-lib-dir Load all dynamic engines from directory --dynamic-detection-lib Load a dynamic rules library --dynamic-detection-lib-dir Load all dynamic rules libraries from directory --dump-dynamic-rules Creates stub rule files of all loaded rules libraries --dynamic-preprocessor-lib Load a dynamic preprocessor library --dynamic-preprocessor-lib-dir Load all dynamic preprocessor libraries from directory --dynamic-output-lib Load a dynamic output library --dynamic-output-lib-dir Load all dynamic output libraries from directory --create-pidfile Create PID file, even when not in Daemon mode --nolock-pidfile Do not try to lock Snort PID file --no-interface-pidfile Do not include the interface name in Snort PID file --disable-attribute-reload-thread Do not create a thread to reload the attribute table --pcap-single Same as -r. --pcap-file file that contains a list of pcaps to read - read mode is implied. --pcap-list "" a space separated list of pcaps to read - read mode is implied. --pcap-dir a directory to recurse to look for pcaps - read mode is implied. --pcap-filter filter to apply when getting pcaps from file or directory. --pcap-no-filter reset to use no filter when getting pcaps from file or directory. --pcap-loop this option will read the pcaps specified on command line continuously. for times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pca p. --pcap-reload if reading multiple pcaps, reload snort config between pcaps. --pcap-show print a line saying what pcap is currently being read. --exit-check Signal termination after callbacks from DAQ_Acquire(), showing the time it takes from signaling until DAQ_Stop() is called. --conf-error-out Same as -x --enable-mpls-multicast Allow multicast MPLS --enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds --max-mpls-labelchain-len Specify the max MPLS label chain --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS --require-rule-sid Require that all snort rules have SID specified. --daq Select packet acquisition module (default is pcap). --daq-mode Select the DAQ operating mode. --daq-var Specify extra DAQ configuration variable. --daq-dir Tell snort where to find desired DAQ. --daq-list[=] List packet acquisition modules available in dir. Default is static modules only. --dirty-pig Don't flush packets and release memory on shutdown. --cs-dir Directory to use for control socket. --ha-peer Activate live high-availability state sharing with peer. --ha-out Write high-availability events to this file. --ha-in Read high-availability events from this file on startup (warm-start). --suppress-config-log Suppress configuration information output.