📄 readme
字号:
line of the file containes the SMB name of the box to send the message to (no \\'s needed). -n <num> Exit after processing <num> packets. -N Turn off logging. Alerts still function normally. -o Change the order in which the rules are applied to packets. Instead of being applied in the standard Alert->Pass->Log order, this will apply them in Pass->Alert->Log order, allowing people to avoid having to make huge BPF command line arguments to filter their alert rules. -O Obfuscate the IP addresses when in ASCII packet dump mode. This switch changes the IP addresses that get printed to the screen/log file to "xxx.xxx.xxx.xxx". If the homenet address switch is set (-h), only addresses on the homenet will be obfuscated while non- homenet IPs will be left visible. Perfect for posting to your favorite security mailing list! -p Turn off promiscuous mode sniffing. Useful for places where that can screw up your host severely. -P <snaplen> Set the snaplen of Snort to <snaplen>. This filters how much of each packet gets into Snort, the default is the MTU for the interface that Snort is currently listening on. -q Quiet. Don't show banner and status report. -r <tf> Read the tcpdump-generated file <tf>. This will cause Snort to read and process the file fed to it. This is useful if, for instance, you've got a bunch of Shadow files that you want to process for content, or even if you've got a bunch of reassembled packet fragments which have been written into a tcpdump formatted file. -s Log alert messages to the syslog. On linux boxen, they will appear in /var/log/secure, /var/log/messages on many other platforms. You can change the logging facility by using the syslog output plugin, at which point the -s switch should not be used (command line alert/log switches override any config file output variables). -S <n=v> Set variable name "n" to value "v". This is useful for setting the value of a defined variable name in a Snort rules file to a command line specified value. For instance, if you define a HOME_NET variable name inside of a Snort rules file, you can set this value from it's predefined value at the command line. -t <chroot> Changes Snort's root directory to <chroot> after initialization. Please note that all log/alert filenames are relevant to chroot directory, if chroot is used. -T Snort will start up in self-test mode, checking all the supplied command line switches and rules files that are handed to it and indicating that everything is ready to proceed. This is a good switch to use if daemon mode is going to be used, it verifies that the Snort configuration that is about to be used is valid and won't fail at run time. -u <uname> Change the UID Snort runs under to <uname> after initialization. -U Turn on UTC timestamps. -v Be verbose. Prints packets out to the console. There is one big problem with verbose mode: it's still kind of slow. If you are doing IDS work with Snort, don't use the -v switch, you WILL drop packets (not many, but some). -V Show the version number and exit. -x Show an annoying little message whenever you see an annoying little IPX packet. -X Dump the raw packet data starting at the link layer. -y Turn on the year field in packet timestamps. -z Set the assurance mode for Snort alerts. If the argument is set to "all", all alerts come out of Snort as normal. If it is set to "est" and the stream4 preprocessor is performing stateful inspection (i.e. it's default mode), alerts will only be generated for TCP packets that are part of an established session, greatly reducing the noise generated by tools like stick and making Snort more useful in general. -? Show the usage summary and exit.[*][FILTERS]: The "filters" are standard BPF style filters as seen in tcpdump. Lookat the man page for snort for docs on how to use it properly. In general,you can give it a host, net or protocol to filter on and some logical statementsto tie it together and get the specific traffic you're interested in. For example:[zeus ~]# ./snort -h 192.168.1.0/24 -d -v host 192.168.1.1records the traffic to and from host 192.168.1.1.[zeus ~]# ./snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1records all traffic on the 192.168.1.0/24 class C subnet, but not traffic to/from 192.168.1.1. Notice that the command line data specified after the"-h" switch is formated differently from the BPF commands provided at the end of the command line. Sorry for the confusion, but I like the CIDR notation andI'm not rewriting libpcap to make it consistent! Anyway, you get the picture.Mail me if you have trouble with it.You can use the -F switch to read your BPF filters in from a file. [*][RULES]: -------------------------------------------------------------------------NOTE: The "official" rules document these days is available at:http://www.snort.org/snort_rules.html-------------------------------------------------------------------------[*][RUN MODES]Snort has three primary run-time modes: sniffer, packet logger, and networkintrusion detection.Sniffer Mode: When in this mode, Snort reads and decodes all packets from the network and dumps them to the stdout. To put Snort into straight sniffingmode, use the "-v" verbose switch. This will dump the packet headers only.You can see the headers + the packet payloads by specifying the "-v" and "-d"switch. To print a dump of the raw bytes in the entire packet, specify the "-X" switch. If you specify the "-X" switch, the -d switch is overridden. Youcan filter the traffic that shows up in this mode by using BPF filters.Packet Logger Mode: This mode logs the packets to the disk in their decodedASCII format. This mode is activated merely by specifying a directory to logpackets to with the "-l" switch. This will log packets into the specified logging directory in a heirarchy of directories based upon the IP addresses ofthe packets on the wire. To log the packets in terms of the network being monitored (i.e. the directories created under the logging directory are theIP addresses of the remote/non-home hosts) use the "-h" switch. To log the packets in their raw binary format to the disk, use the "-b" switch. Loggingthe packets in this format will allow them to be run through other tools like Ethereal, tcpdump, etc. Packet logger mode can be mixed with sniffer mode switches with no ill effects, however logging performance may be impacted by the slowness of the terminal.Intrusion Detction Mode: Snort enters IDS mode when a configuration file is specified with the "-c" switch. Output formats, rules, preprocessor configuration, etc are all specified in the configuration file. Logger modeis essentially disabled when in IDS mode, but that's ok because you specifywhich packets you want to log when in IDS mode. See the rule document (above) for how to write your own rules. When an alert rule goes off the alert data islogged to the alerting mechanism (be default a file called "alert" in the logging directory) in addition to being logged to the logging mechanism. Thedefault logging directory is /var/log/snort, which can be changed using the "-l" switch. You can use something like "rt" or just "tail -f" it to give a running displayof system alerts. Alerts can also be sent to syslog (and monitored withsomething like swatch), or they can be sent out as WinPopup messages withsmbclient. Check out the "INSTALL" file for information on enabling the SMBalerting option. There are a variety of other alerting and logging mechanismsavailable, check out the snort.conf file for information on enabling them.Note that the system requires the use of the "-l" flag to redirect rules basedlogging to a specific directory. If you don't specify a place for it to go, itdefaults to /var/log/snort.Please read the USAGE file or the SnortUsersManual.pdf for more info.******************************************************************************/* $Id: README,v 1.15 2001/08/15 05:54:35 roesch Exp $ */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -