snort is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS).
Basic Commands
- snort -V - Show version
- snort --version - Show version (alternative)
- snort -h - Show help/options
- snort -T - Test configuration (syntax check)
- snort -T -c <config> - Test specific config file
- snort -c <config> - Use specific config file
- snort -i <interface> - Run on interface
- snort -i eth0 -c <config> - Run on eth0 with config
- snort -l <dir> - Log to directory
- snort -r <pcap> - Read from pcap file
Alert Modes
- snort -A console - Console alert mode
- snort -A fast - Fast alert mode
- snort -A full - Full alert mode
- snort -A unsock - Unix socket alert mode
- snort -A none - No alerts
- snort -A cmg - CMG alert mode
- snort -A alert_json - JSON alert mode
- snort -q - Quiet mode (suppress banner)
Rule Writing
Rule Structure
action protocol src_ip src_port -> dst_ip dst_port ( options )Example Rules
# Alert on HTTP traffic
alert tcp any any -> 192.168.1.0/24 80 ( msg:"HTTP Traffic Detected"; flow:to_server,established; sid:100001; )
# Alert on suspicious port scan
alert tcp any any -> 192.168.1.0/24 any ( flags:S; msg:"Possible Port Scan"; threshold:type threshold, track by_src, count 10, seconds 60; sid:100002; )
# Alert on ICMP ping
alert icmp any any -> any any ( msg:"ICMP Ping Detected"; icode:0; itype:8; sid:100003; )Rule Options
- msg:"text" - Alert message
- sid:number - Rule ID (must be unique)
- rev:number - Revision number
- content:"string" - Search for string in payload
- flags:S - TCP SYN flag
- flow:to_server,established - Flow direction and state
- threshold:type threshold, track by_src, count N, seconds M - Threshold
Configuration
Config File Locations
- /etc/snort/snort.conf - Main config (Snort 2)
- /etc/snort/snort.lua - Main config (Snort 3)
- /etc/snort/rules/ - Rules directory
- /etc/snort/snort_defaults.lua - Defaults (Snort 3)
- ~/.snort/ - User config directory
Example snort.conf (Snort 2)
# Network variables
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
# Include rules
include $RULE_PATH/local.rules
include $RULE_PATH/community.rulesExample snort.lua (Snort 3)
-- Network variables
HOME_NET = '192.168.1.0/24'
EXTERNAL_NET = '!HOME_NET'
-- Include rules
ips = {
include = 'malware.rules',
include = 'exploit.rules',
}Include Rules
- Include single rule file: -R <file>
- Include rule directory: --rule-path <dir>
- Enable built-in rules: --lua 'ips.enable_builtin_rules = true'
Logging and Output
- snort -l /var/log/snort - Log to directory
- snort -r snort.log - Read from log file
- snort -r snort.log 'udp and port 53' - Read with BPF filter
- snort -K ascii - Log in ASCII mode
- snort -K pcap - Log in pcap mode
- snort -K none - No packet logging
Advanced Options
- snort -D - Run as daemon
- snort -d - Dump application layer
- snort -e - Show layer 2 headers
- snort -v - Verbose mode
- snort -X - Show raw packet data
- snort -N - Disable logging
- snort -s - Log alerts to syslog
- snort -S <file> - Log alerts to file
- snort -u <user> - Run as user
- snort -g <group> - Run as group
Configuration Conversion
- snort2lua -c snort.conf - Convert Snort 2 config to Snort 3 (Lua)
- snort2lua -c snort.conf -o output.lua - Convert with output file
Tips
- Use quiet mode (-q) when combining with alert modes (-A) to avoid clutter
- When writing rules, always include a unique sid and rev
- Test new or modified rules against pcaps before deployment
- Keep snort updated - rulesets are updated frequently
- Monitor performance - many rules with deep payload inspection can increase load
- Use -T flag to test configuration before deploying
- Test rules with -r <pcap> to verify they work as expected
- Use BPF filters to reduce processing load on high-traffic networks
- Snort 3 uses Lua configuration, Snort 2 uses traditional config files
- Use threshold rules to reduce false positives from noisy alerts
- Organize rules into separate files by category for easier management
- Review alert logs regularly to tune rules and reduce false positives