usage

该软件是一个有名的基于网络的入侵检测系统

			HOW TO USE SNORT!

Snort really isn't very hard to use, but there are a lot of command line
options to play with, and it's not always obvious which ones go together well.
This file aims to make using Snort even easier for new users.

First, let's start with the basics.  If you just want to print out the packet
headers to the screen, try this:

./snort -v

This command will run Snort and just show the IP and TCP/UDP/ICMP headers,
nothing else.  If you want to see the decoded application layer, try the
following:

./snort -vd

This instructs Snort to display the packet data as well as the headers.  If you
want an even more descriptive display, showing the Ethernet headers do this:

./snort -vde

(As an aside, these switches may be divided up or smashed together in any
combination.  The last command could also be typed out as:

./snort -d -v -e

and it would do the same thing.)

Ok, all of these commands are pretty cool, but it doesn't actually log any
packets to the disk at this point.  In order to do that, you need to specify a
logging directory:

./snort -dev -l ./log

Of course, this assumes you have a directory named "log" in the current
directory.

If you just specify a plain "-l" switch, you may notice that Snort sometimes
uses the address of the remote computer as the directory in which it places
packets, and sometimes it uses the local host address.  In order to log
relative to the home network, you need to tell Snort which network is the home
network:

./snort -dev -l ./log -h 192.168.1.0/24

This rule tells Snort that you want to print out the Ethernet headers and the
application data into the directory ./log, and you want to log the packets
relative to the 192.168.1.0 class C network.  All incoming packets will be
recorded into subdirectories of the log directory, with the directory names
being based on the address of the remote (non-192.168.1) host.  Note that if
both hosts are on the home network, then they are recorded based upon the
higher of the two's port numbers, or in the case of a tie, the source address.

If you want to use a rules file with all of these options (so that you don't
record every single packet sent down the wire), try this:

./snort -dev -l ./log -h 192.168.1.0/24 -c snort-lib

Where snort-lib is the name of your rules file.  This will apply the rules set
in the snort-lib file to each packet to decide if it should be logged or not.

One thing to note about the last rule is that if Snort is going to be used in a
long term way as an IDS, the "-v" switch should be left off the command line
for the sake of speed.  The screen is a slow place to write to, and packets can
be dropped while writing to the display.

It's also not necessary to record the Ethernet headers for most applications,
so the way I generally use Snort in IDS mode is with the following switches:

./snort -d -h 192.168.1.0/24 -l ./log -c snort-lib

If you want to process a file generated by tcpdump (or the Shadow IDS), use 
the options you normally would, but also the "-r" switch.  This will read
packets from the specified file instead of the network, which will allow
packets grabbed by tcpdump to be tested for content or anything else Snort can
detect with its rules set.  For example:

./snort -d -h 192.168.1.0/24 -l ./log -c snort-lib -r tcpdump_file

Some people don't like the default way in which Snort applies it's rules to
packets, with the Alert rules applied first, then the Pass rules, and finally
the Log rules.  This sequence is somewhat counterintuitive, but it's a more
foolproof method than allowing the user to write a hundred alert rules and then
disable them all with an errant pass rule.  For people who know what they're
doing, the "-o" switch has been provided to change the default rule
applicaition behavior to Pass rules, then Alert, then Log:

./snort -d -h 192.168.1.0/24 -l ./log -c snort-lib -o

Finally (for now), if you want to send the alert messages to syslog, you may
use the "-s" switch.  Do it thusly:

./snort -d -h 192.168.1.0/24 -l ./log -c snort-lib -s

When alerts are generated, they will appear in the syslog instead of the alert
file.

Well, that's about it for now.  If you have any further questions about using
Snort, drop me an e-mail at roesch@clark.net

Marty Roesch
6/21/99


UPDATE 9/17/99

Performance configuration!  If you want Snort to go *fast* (like keep up with a
100 Mbps net fast) use the "-b" and "-A fast" or "-s" (syslog) options.  This
will log packets in tcpdump format and produce minimal alerts.  For example:

./snort -b -A fast -c snort-lib

In this configuration, Snort has been able to log multiple simultaneuos probes
and attacks on a 100 Mbps LAN running at a saturation level of approximately 
80 Mbps.  In this configuration the logs are written in binary format to the
snort.log tcpdump-formatted file.  To read this file back and break out the
data in the familiar Snort format, just rerun Snort on the data file with the 
"-r" option and the other options you would normally use.  For example:

./snort -d -c snort-lib -l ./log -h 192.168.1.0/24 -r snort.log 

Once this is done running, all of the data will be sitting in the log directory
in its normal decoded format.  Cool, eh?