Snort Users Manual
Snort Release: 1.8.1
Martin Roesch
Contents
1 Snort Overview
1.1 Getting Started
1.2 Sniffer Mode
1.3 Packet Logger Mode
1.4 Network Intrusion Detection Mode
1.4.1 NIDS Mode Output Options
1.4.2 High Performance Configuration
1.4.3 Changing Alert Order
1.5 Miscellaneous
1.6 More Information
2 Writing Snort Rules
How to Write Snort Rules and Keep Your Sanity
2.1 The Basics
2.1.1 Includes
2.1.2 Variables
2.2 Rules Headers
2.2.1 Rule Actions
2.2.2 Protocols
2.2.3 IP Addresses
2.2.4 Port Numbers
2.2.5 Activate/Dynamic Rules
2.3 Rule Options
2.3.1 Msg
2.3.2 Logto
2.3.3 TTL
2.3.4 TOS
2.3.5 ID
2.3.6 Ipoption
2.3.7 Fragbits
2.3.8 Dsize
2.3.9 Content
2.3.10 Offset
2.3.11 Depth
2.3.12 Nocase
2.3.13 Flags
2.3.14 Seq
2.3.15 Ack
2.3.16 Itype
2.3.17 Icode
2.3.18 Session
2.3.19 Icmp_id
2.3.20 Icmp_seq
2.3.21 Rpc
2.3.22 Resp
2.3.23 Content-list
2.3.24 React
2.3.25 Reference
2.3.26 Sid
2.3.27 Rev
2.3.28 Classtype
2.3.29 Priority
2.3.30 Uricontent
2.3.31 Tag
2.3.32 IP proto
2.3.33 Same IP
2.3.34 Stateless
2.3.35 Regex
2.4 Preprocessors
2.4.1 Minfrag
2.4.2 HTTP Decode
2.4.3 Portscan Detector
2.4.4 Portscan Ignorehosts
2.4.5 Defrag
2.4.6 Frag2
2.4.7 Stream
2.4.8 Stream4
2.4.9 Spade: the Statistical Packet Anomaly Detection Engine
2.5 Output Modules
2.5.1 Alert_syslog
2.5.2 Alert_fast
2.5.3 Alert_full
2.5.4 Alert_smb
2.5.5 Alert_unixsock
2.5.6 Log_tcpdump
2.5.7 XML
2.5.8 Database
2.5.9 CSV
2.5.10 Unified
2.5.11 SNMP Trap
2.6 Writing Good Rules
A SNMP Trap Licensing