snort.8

该软件是一个有名的基于网络的入侵检测系统

.\" Process this file with
.\" groff -man -Tascii snort.5
.\"
.TH SNORT 8 "January 2000" 
.SH NAME
Snort \- lightweight network intrusion detection system
.SH SYNOPSIS
.B snort [-abCdDeNoOpqsvVxX?] [-A
.I alert-mode
.B ] [-c
.I rules-file
.B ] [-F
.I bpf-file
.B ] [-g
.I GID
.B ] [-h
.I home-net
.B ] [-i
.I interface
.B ] [-l
.I log-dir
.B ] [-M
.I smb-hosts-file
.B ] [-n
.I packet-count
.B ] [-r
.I tcpdump-file
.B ] [-S
.I n=v
.B ] [-t
.I chroot-dir
.B ] [-u
.I UID
.B ]
.I expression
.SH DESCRIPTION
.B Snort
is a lightweight network intrusion detection system, capable of performing 
real-time traffic analysis and packet logging on IP networks.  It can perform 
protocol analysis, content searching/matching and can be used to detect a 
variety of attacks and probes, such as buffer overflows, stealth port scans, 
CGI attacks, SMB probes, OS fingerprinting attempts, and much more.  Snort uses
a flexible rules language to describe traffic that it should collect or pass, 
as well as a detection engine that utilizes a modular plugin architecture.
Snort has a real-time alerting capability as well, incorporating alerting
mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup 
messages to Windows clients using Samba's smbclient.
.PP
Snort has three primary uses.  It can be used as a straight packet sniffer like
.BR tcpdump (1),
a packet logger (useful for network traffic debugging, etc), or as a full 
blown network intrusion detection system.
.PP
Snort logs packets in either 
.BR tcpdump (1)
binary format or in Snort's decoded ASCII format to logging directories that
are named based on the IP address of the "foreign" host.
.SH OPTIONS
.IP "-A alert-mode"
Alert using the specified
.I alert-mode.
Valid alert modes include 
.B fast, full, none,
and
.B unsock.
.B Fast 
writes alerts to the default "alert" file in a single-line, syslog style alert
message.  
.B Full 
writes the alert to the "alert" file with the full decoded header as well as 
the alert message.  
.B None
turns off alerting.  
.B Unsock 
is an experimental mode that sends the alert information out over a UNIX socket
to another process that attaches to that socket.
.IP -a
Display ARP packets when decoding packets.
.IP -b
Log packets in a
.BR tcpdump (1)
formatted file.    All packets are logged in their native binary state to a
tcpdump formatted log file called "snort.log".  This option results in much
faster operation of the program since it doesn't have to spend time in the
packet binary->text converters.  Snort can keep up pretty well with 100Mbps
networks in "-b" mode.
.IP "-c rules-file"
Use the rules located in file 
.I rules-file.
.IP -C
Print the character data from the packet payload only (no hex).
.IP -d
Dump the application layer data when displaying packets.
.IP -D
Run Snort in daemon mode.  Alerts are sent to /var/log/snort.alert unless 
otherwise specified.
.IP -e
Display/log the Ethernet packet headers.
.IP "-F bpf-file"
Read BPF filters from 
.I bpf-file.
This is handy for people running Snort as a SHADOW replacement or with a love
of super complex BPF filters.  See the 
.Br tcpdump (1)
documentation for more information on writing BPF filters.
.IP "-g GID"
Run Snort as group ID 
.I GID
after initialization.  This switch allows Snort to drop root priveleges after 
it's initialization phase has completed as a security measure.
.IP "-h home-net"
Set the "home network" to 
.I home-net.
The format of this address variable is a network prefix plus a CIDR block, such
as 192.168.1.0/24.  Once this variable is set, all decoded packet logging will
be done relative to the home network address space.  This is useful because of
the way that Snort formats its ASCII log data.  With this value set to the 
local network, all decoded output will be logged into decode directories
with the address of the foreign computer as the directory name, which is
very useful during traffic analysis.
.IP "-i interface"
Listen on 
.I interface.
.IP "-l log-dir
Set the output logging directory to 
.I log-dir.
All alerts and packet traffic go into this directory.  If this option is not 
specified, the default logging directory is set to /var/log/snort.
.IP "-M smb-hosts-file"
Send WinPopup messages to the list of workstations contained in the 
.I smb-hosts-file .
This option requires Samba to be resident and in the path of the machine
running Snort.  The workstation file is simple: each line of the file contains
the SMB name of the box to send the message to.
.IP "-n packet-count"
Process 
.I packet-count
packets and exit.
.IP -N
Turn off packet logging.  The program still generates alerts normally.
.IP -o
Change the order in which the rules are applied to packets.  Instead of being
applied in the standard Alert->Pass->Log order, this will apply them in 
Pass->Alert->Log order.
.IP -O
Obfuscate the IP addresses when in ASCII packet dump mode.  This switch 
changes the IP addresses that get printed to the screen/log file to 
"xxx.xxx.xxx.xxx".  If the homenet address switch is set (-h), only
addresses on the homenet will be obfuscated while non- homenet IPs will be
left visible.  Perfect for posting to your favorite security mailing list!
.IP -p
Turn off promiscuous mode sniffing.
.IP "-q"
Quiet operation. Don't display banner and initialization informations.
.IP "-r tcpdump-file"
Read the tcpdump-formatted file 
.I tcpdump-file.
This will cause Snort to read and process the file fed to it.  This is
useful if, for instance, you've got a bunch of SHADOW files that you want to 
process for content, or even if you've got a bunch of reassembled packet
fragments which have been written into a tcpdump formatted file.
.IP -s
Send alert messages to syslog.  On linux boxen, they will appear in
/var/log/secure, /var/log/messages on many other platforms.
.IP "-S n=v"
Set variable name "n" to value "v".  This is useful for setting the value of a
defined variable name in a Snort rules file to a command line specified value.
For instance, if you define a HOME_NET variable name inside of a Snort rules
file, you can set this value from it's predefined value at the command line.
.IP "-t chroot-dir"
Change Snort's root directory to 
.I chroot-dir
after initialization.
.IP "-u UID"
Change the UID Snort runs under to 
.I UID
after initialization.
.IP -v
Be verbose.  Prints packets out to the console.  There is one big problem with
verbose mode: it's slow.  If you are doing IDS work with Snort, don't use the
-v switch, you WILL drop packets.
.IP -V
Show the version number and exit.
.IP -X
Dump the raw packet bytes starting at the link layer.  This will do a raw byte
dump of the entire packet along with byte offset reference numbers and the
decoded ASCII data from the payload.
.IP -?
Show the program usage statement and exit.
.IP "\fI expression\fP"
.RS
selects which packets will be dumped.  If no \fIexpression\fP
is given, all packets on the net will be dumped.  Otherwise,
only packets for which \fIexpression\fP is `true' will be dumped.
.LP
The \fIexpression\fP consists of one or more
.I primitives.
Primitives usually consist of an
.I id
(name or number) preceded by one or more qualifiers.  There are three
different kinds of qualifier:
.IP \fItype\fP
qualifiers say what kind of thing the id name or number refers to.
Possible types are
.BR host ,
.B net
and
.BR port .
E.g., `host foo', `net 128.3', `port 20'.  If there is no type
qualifier,
.B host
is assumed.
.IP \fIdir\fP
qualifiers specify a particular transfer direction to and/or from
.I id.
Possible directions are
.BR src ,
.BR dst ,
.B "src or dst"
and
.B "src and"
.BR dst .
E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.  If
there is no dir qualifier,
.B "src or dst"
is assumed.
For `null' link layers (i.e. point to point protocols such as slip) the
.B inbound
and
.B outbound
qualifiers can be used to specify a desired direction.
.IP \fIproto\fP
qualifiers restrict the match to a particular protocol.  Possible
protos are:
.BR ether ,
.BR fddi ,
.BR ip ,
.BR arp ,
.BR rarp ,
.BR decnet ,
.BR lat ,
.BR sca ,
.BR moprc ,
.BR mopdl ,
.B tcp
and
.BR udp .
E.g., `ether src foo', `arp net 128.3', `tcp port 21'.  If there is
no proto qualifier, all protocols consistent with the type are
assumed.  E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
.LP
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified
network interface.''  FDDI headers contain Ethernet-like source
and destination addresses, and often contain Ethernet-like packet
types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields.  FDDI headers also contain other fields,
but you cannot name them explicitly in a filter expression.]
.LP
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
.BR gateway ,
.BR broadcast ,
.BR less ,
.B greater
and arithmetic expressions.  All of these are described below.
.LP
More complex filter expressions are built up by using the words
.BR and ,
.B or
and