readme

入侵检测系统.linux下与MySql连用的例子

Snort Version 1.8.1

by Martin Roesch (roesch@sourcefire.com)

Distribution Site:
http://www.snort.org
http://snort.sourceforge.net

Alternate Sites:

US:
http://www.technotronic.com
http://packetstormsecurity.org
http://www.whitehats.com

Europe:
http://gd.tuwien.ac.at/infosys/security/snort
ftp://gd.tuwien.ac.at/infosys/security/snort
http://www.centus.com/snort/security.html

South America:
http://snort.safenetworks.com

Australia:
ftp://the.wiretapped.net/pub/security/network-intrusion-detection/snort


Distributed with:
Trinux <http://www.trinux.org>
SuSE Linux <http://www.suse.org>
Debian Linux <http://www.debian.org>
NetBSD <http://www.netbsd.org>
Conectiva Linux <www.conectiva.com.br>
Others?

******************************************************************************
COPYRIGHT

Copyright (C)1998,1999,2000,2001 Martin Roesch

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

Some of this code has been taken from tcpdump, which was developed
by the Network Research Group at Lawrence Berkeley National Lab,
and is copyrighted by the University of California Regents.

******************************************************************************

DESCRIPTION

Snort is an open source network intrusion detection system, capable  of  
performing  real-time traffic analysis and packet logging on IP networks.  
It  can  perform  protocol analysis and content searching/matching in order to
detect a variety of attacks and  probes, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.  
Snort uses a flexible rules language to describe traffic that it should collect
or pass, as well as a detection engine  that  utilizes a modular plugin
architecture.  Snort has a real- time alerting capability as well, 
incorporating  alerting mechanisms  for  syslog,  user  specified  files, a
UNIX socket, or WinPopup messages to  Windows clients using Samba's smbclient.

Snort  has  three  primary  functional modes.   It  can  be  used as a straight
packet sniffer like tcpdump(1), a  packet  logger (useful  for network traffic
debugging, etc), or as a full blown network intrusion detection system.

Snort logs packets to many formats, including tcpdump(1) binary format or 
Snort's decoded ASCII format to a hierarcical set of directories that are 
named based on the IP address of the remote host.

Plugins allow the detection and reporting subsystems to be extended.  Available 
plugins include database or XML logging, small fragment detection, portscan 
detection, and HTTP URI normalization, IP defragmentation, TCP stream 
reassembly and statistical anomaly detection.  


******************************************************************************

[*][USAGE]

Command line: 

	snort -[options] <filters>

Options:

    -A <alert>  Set <alert> mode to full, fast or none.  Full mode
            does normal "classic Snort"-style alerts to the alert
            file.  Fast mode just writes the timestamp, message, 
            IPs, and ports to the file.  None turns off alerting.
            There is experimental support for UnixSock alerts 
            that allow alerting to a sepreate process.  Use the 
            "unsock" argument to activate this feature.

    -a	    Display ARP packets

    -b	    Log packets in tcpdump format.  All packets are logged
            in their native binary state to a tcpdump formatted 
            log file called "snort.log".  This option results in
            much faster operation of the program since it doesn't
            have to spend time in the packet binary->text
            converters.  Snort can keep up pretty well with 100Mbps
            networks in "-b" mode.

    -c <cf>	Use configuration file <cf>.  This is the rules file
            which tells the system what to log, alert on, or pass!

    -C      Dump the ASCII characters in packet payloads only, no
            hexdump

    -d      Dump the application layer data

    -D      Run Snort in daemon mode.  Alerts are sent to
            /var/log/snort/alert unless otherwise specified.

    -e      Display/log the layer 2 packet header data.

    -F <bpf> Read BPF filters from file <bpf>.  Handy for those of
            you running Snort as a SHADOW replacement or with a
            love of super complex BPF filters.

    -g <gname> Run Snort as group ID <gname> after initialization. 
            This switch allows Snort to drop root priveleges after
            it's initialization phase has completed as a security
            measure.

    -G      Ghetto backwards compatibility switch, prints cross reference info
            in the 1.7 format.  Available modes are basic and url. 

    -h <hn>	Set the "home network" to <hn>, which is a class C IP 
            address something like 192.168.1.0 or whatever.  If you
            use this switch, traffic coming from external networks
            will be formatted with the directional arrow of the 
            packet dump pointing right for incoming external 
            traffic, and left for outgoing internal traffic.  Kind
            of silly, but it looks nice.

    -i <if> Sniff on network interface <if>.  

    -I      Add the interface name to alert printouts (first interface only)

    -k <checksum mode>
            Set <checksum mode> to all, noip, notcp, noudp, noicmp, or none.
            Setting this switch modifies the checksum verification subsystem of
            Snort to tune for maximum performance.  For example, in many
            situations Snort is behind a router or firewall that doesn't allow
            packets with bad checksums to pass, in which case it wouldn't make
            sense to have Snort re-verify checksums that have already been 
            checked.  Turning off specific checksum verification subsystems can
            improve performance by reducing the amount of time required to 
            inspect a packet.

    -l <ld> Log packets to directory <ld>.  Sets up a hierarchical
            directory structure with the log directory as the base
            starting directory, and the IP address of the remote
            peer generating traffic as the directory which packets
            packets from that adress are stored in.  If you do not 
            use the -l switch, the default logging directory is 
            /var/log/snort.
          
    -L <fn> Set the binary output file's filename to <fn>.            

    -m <mask> Set the umask for all of Snort's output files to the indicated 
            mask.

    -M <wkstn>  Send WinPopup messages to the list of workstations
            contained in the <wkstn> file.  This option requires
            Samba to be resident and in the path of the machine
            running Snort.  The workstation file is simple: each