Contents

• 1. Snort Overview
  • 1.1 Getting Started
  • 1.2 Sniffer Mode
  • 1.3 Packet Logger Mode
  • 1.4 Network Intrusion Detection System Mode
    • 1.4.1 NIDS Mode Output Options
    • 1.4.2 Understanding Standard Alert Output
    • 1.4.3 High Performance Configuration
    • 1.4.4 Changing Alert Order
  • 1.5 Inline Mode
    • 1.5.1 Snort Inline Rule Application Order
    • 1.5.2 Replacing Packets with Snort Inline
    • 1.5.3 Installing Snort Inline
    • 1.5.4 Running Snort Inline
    • 1.5.5 Using the Honeynet Snort Inline Toolkit
    • 1.5.6 Troubleshooting Snort Inline
  • 1.6 Miscellaneous
    • 1.6.1 Running Snort as a Daemon
    • 1.6.2 Running in Rule Stub Creation Mode
    • 1.6.3 Obfuscating IP Address Printouts
    • 1.6.4 Specifying Multiple-Instance Identifiers
  • 1.7 Reading Pcaps
    • 1.7.1 Command line arguments
    • 1.7.2 Examples
  • 1.8 Tunneling Protocol Support
    • 1.8.1 Multiple Encapsulations
    • 1.8.2 Logging
  • 1.9 More Information
  
  
• 2. Configuring Snort
  • 2.1 Includes
    • 2.1.1 Format
    • 2.1.2 Variables
    • 2.1.3 Config
  • 2.2 Preprocessors
    • 2.2.1 Frag3
    • 2.2.2 Stream5
    • 2.2.3 sfPortscan
    • 2.2.4 RPC Decode
    • 2.2.5 Performance Monitor
    • 2.2.6 HTTP Inspect
    • 2.2.7 SMTP Preprocessor
    • 2.2.8 FTP/Telnet Preprocessor
    • 2.2.9 SSH
    • 2.2.10 DCE/RPC
    • 2.2.11 DNS
    • 2.2.12 SSL/TLS
    • 2.2.13 ARP Spoof Preprocessor
    • 2.2.14 DCE/RPC 2 Preprocessor
    • 2.2.15 Sensitive Data Preprocessor
  • 2.3 Decoder and Preprocessor Rules
    • 2.3.1 Configuring
    • 2.3.2 Reverting to original behavior
  • 2.4 Event Processing
    • 2.4.1 Rate Filtering
    • 2.4.2 Event Filtering
    • 2.4.3 Event Suppression
    • 2.4.4 Event Logging
  • 2.5 Performance Profiling
    • 2.5.1 Rule Profiling
    • 2.5.2 Preprocessor Profiling
    • 2.5.3 Packet Performance Monitoring (PPM)
  • 2.6 Output Modules
    • 2.6.1 alert_syslog
    • 2.6.2 alert_fast
    • 2.6.3 alert_full
    • 2.6.4 alert_unixsock
    • 2.6.5 log_tcpdump
    • 2.6.6 database
    • 2.6.7 csv
    • 2.6.8 unified
    • 2.6.9 unified 2
    • 2.6.10 alert_prelude
    • 2.6.11 log null
    • 2.6.12 alert_aruba_action
    • 2.6.13 Log Limits
  • 2.7 Host Attribute Table
    • 2.7.1 Configuration Format
    • 2.7.2 Attribute Table File Format
  • 2.8 Dynamic Modules
    • 2.8.1 Format
    • 2.8.2 Directives
  • 2.9 Reloading a Snort Configuration
    • 2.9.1 Enabling support
    • 2.9.2 Reloading a configuration
    • 2.9.3 Non-reloadable configuration options
  • 2.10 Multiple Configurations
    • 2.10.1 Creating Multiple Configurations
    • 2.10.2 Configuration Specific Elements
    • 2.10.3 How Configuration is applied?
  
  
• 3. Writing Snort Rules
  • 3.1 The Basics
  • 3.2 Rules Headers
    • 3.2.1 Rule Actions
    • 3.2.2 Protocols
    • 3.2.3 IP Addresses
    • 3.2.4 Port Numbers
    • 3.2.5 The Direction Operator
    • 3.2.6 Activate/Dynamic Rules
  • 3.3 Rule Options
  • 3.4 General Rule Options
    • 3.4.1 msg
    • 3.4.2 reference
    • 3.4.3 gid
    • 3.4.4 sid
    • 3.4.5 rev
    • 3.4.6 classtype
    • 3.4.7 priority
    • 3.4.8 metadata
    • 3.4.9 General Rule Quick Reference
  • 3.5 Payload Detection Rule Options
    • 3.5.1 content
    • 3.5.2 nocase
    • 3.5.3 rawbytes
    • 3.5.4 depth
    • 3.5.5 offset
    • 3.5.6 distance
    • 3.5.7 within
    • 3.5.8 http_client_body
    • 3.5.9 http_cookie
    • 3.5.10 http_raw_cookie
    • 3.5.11 http_header
    • 3.5.12 http_raw_header
    • 3.5.13 http_method
    • 3.5.14 http_uri
    • 3.5.15 http_raw_uri
    • 3.5.16 http_stat_code
    • 3.5.17 http_stat_msg
    • 3.5.18 http_encode
    • 3.5.19 fast_pattern
    • 3.5.20 uricontent
    • 3.5.21 urilen
    • 3.5.22 isdataat
    • 3.5.23 pcre
    • 3.5.24 file_data
    • 3.5.25 byte_test
    • 3.5.26 byte_jump
    • 3.5.27 ftpbounce
    • 3.5.28 asn1
    • 3.5.29 cvs
    • 3.5.30 dce_iface
    • 3.5.31 dce_opnum
    • 3.5.32 dce_stub_data
    • 3.5.33 ssl_version
    • 3.5.34 ssl_state
    • 3.5.35 Payload Detection Quick Reference
  • 3.6 Non-Payload Detection Rule Options
    • 3.6.1 fragoffset
    • 3.6.2 ttl
    • 3.6.3 tos
    • 3.6.4 id
    • 3.6.5 ipopts
    • 3.6.6 fragbits
    • 3.6.7 dsize
    • 3.6.8 flags
    • 3.6.9 flow
    • 3.6.10 flowbits
    • 3.6.11 seq
    • 3.6.12 ack
    • 3.6.13 window
    • 3.6.14 itype
    • 3.6.15 icode
    • 3.6.16 icmp_id
    • 3.6.17 icmp_seq
    • 3.6.18 rpc
    • 3.6.19 ip_proto
    • 3.6.20 sameip
    • 3.6.21 stream_size
    • 3.6.22 Non-Payload Detection Quick Reference
  • 3.7 Post-Detection Rule Options
    • 3.7.1 logto
    • 3.7.2 session
    • 3.7.3 resp
    • 3.7.4 react
    • 3.7.5 tag
    • 3.7.6 activates
    • 3.7.7 activated_by
    • 3.7.8 count
    • 3.7.9 replace
    • 3.7.10 detection_filter
    • 3.7.11 Post-Detection Quick Reference
  • 3.8 Rule Thresholds
  • 3.9 Writing Good Rules
    • 3.9.1 Content Matching
    • 3.9.2 Catch the Vulnerability, Not the Exploit
    • 3.9.3 Catch the Oddities of the Protocol in the Rule
    • 3.9.4 Optimizing Rules
    • 3.9.5 Testing Numerical Values
  
  
• 4. Making Snort Faster
  • 4.1 MMAPed pcap
  
  
• 5. Dynamic Modules
  • 5.1 Data Structures
    • 5.1.1 DynamicPluginMeta
    • 5.1.2 DynamicPreprocessorData
    • 5.1.3 DynamicEngineData
    • 5.1.4 SFSnortPacket
    • 5.1.5 Dynamic Rules
  • 5.2 Required Functions
    • 5.2.1 Preprocessors
    • 5.2.2 Detection Engine
    • 5.2.3 Rules
  • 5.3 Examples
    • 5.3.1 Preprocessor Example
    • 5.3.2 Rules
  
  
• 6. Snort Development
  • 6.1 Submitting Patches
  • 6.2 Snort Data Flow
    • 6.2.1 Preprocessors
    • 6.2.2 Detection Plugins
    • 6.2.3 Output Plugins
  • 6.3 The Snort Team
  
  
• Bibliography