Snort Version 126.96.36.199
by Martin Roesch and The Snort Team http://www.snort.org/snort/snort-team/
Distribution Site: http://www.snort.org
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 2001-2013 Sourcefire Inc.
Copyright (C) 1998-2001 Martin Roesch
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 aspublished by the Free Software Foundation. You may not use, modify or distribute this program under any other version of the GNU General Public License.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Some of this code has been taken from tcpdump, which was developed by the Network Research Group at Lawrence Berkeley National Lab, and is copyrighted by the University of California Regents.
Snort is an open source network intrusion detection and prevention system. It
is capable of performing real-time traffic analysis, alerting, blocking and
packet logging on IP networks. It utilizes a combination of protocol analysis
and pattern matching in order to detect a anomalies, misuse and attacks.
Snort uses a flexible rules language to describe activity that can be considered malicious or anomalous as well as an analysis engine that incorporates a modular plugin architecture. Snort is capable of detecting and responding in real-time, sending alerts, performing session sniping, logging packets, or dropping sessions/packets when deployed in-line.
Snort has three primary functional modes. It can be used as a packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection and prevention system.
Please read the snort manual file that should be included with this distribution for full documentation on the program as well as a guide to getting started.
`snort -[options] <filters>`
Options: The full list of options supported is displayed using the option --help.
The "filters" are standard BPF style filters as seen in tcpdump. Look at the man page for snort for docs on how to use it properly. In general, you can give it a host, net or protocol to filter on and some logical statements to tie it together and get the specific traffic you're interested in. For example:
[zeus ~]# ./snort -h 192.168.1.0/24 -d -v host 192.168.1.1
records the traffic to and from host 192.168.1.1.
[zeus ~]# ./snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1
records all traffic on the 192.168.1.0/24 class C subnet, but not traffic to/from 192.168.1.1. Notice that the command line data specified after the "-h" switch is formated differently from the BPF commands provided at the end of the command line. Sorry for the confusion, but I like the CIDR notation and I'm not rewriting libpcap to make it consistent! Anyway, you get the picture. Mail me if you have trouble with it.
You can use the -F switch to read your BPF filters in from a file.
here.NOTE: The "official" rules document these days is available in the snort_manual.pdf in the distro. If you don't have this file in your distribution of Snort, you can get it from
Please read the USAGE file or the snort_manual.pdf for more info!