Difference between revisions of "Snort modes"
(Created page with "=Various snort modes= Snort can be used in three different modes: *Sniffing - <tt>-v</tt> - In this mode snort just sniffs the packets and displays relevant information on sc...") |
m |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Security tools]] > [[Snort configuration]] > [[Snort modes|Various snort modes]] | |||
Snort can be used in three different modes: | Snort can be used in three different modes: | ||
Line 77: | Line 77: | ||
snort -c /etc/snort/snort.conf | snort -c /etc/snort/snort.conf | ||
</pre> | </pre> | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Security tools]] > [[Snort configuration]] > [[Snort modes|Various snort modes]] |
Latest revision as of 15:51, 24 March 2022
Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Various snort modes
Snort can be used in three different modes:
- Sniffing - -v - In this mode snort just sniffs the packets and displays relevant information on screen.
- Logging - -l - In this mode snort logs packets in log files. We can use these log files for analysis later on. We can also use '-b' option to log in binary format (libpcap) format which can be used by wireshark / tcpdump etc.
- Network Intrusion Detection System (NIDS) - -c {snort_configuration_file} - In this mode snort uses set of rules and inspects packets for matching rules and takes action as specified in the rules.
We can combine more than one mode together to do NIDS, logging, etc. together.
Sniffing
We can use snort in sniffer mode by using command:
snort -v
This will display IP and TCP/UDP/ICMP headers.
If we want to see application data along with headers then we can use option '-d'
snort -v -d (OR snort -vd)
If we also want to see link layers headers then we can use option '-e'
snort -vde
Logging packets
We can log packets captured by snort using '-l' switch. To log packets we can use binary format (libpcap format) so that we can later read the captured packets using tcpdump, wireshark or even snort.
snort -l log -b
Here:
- '-b' is to specify that logs should be created in binary format. (libpcap format). It is not necessary to specify -b if we want the logs in snort specific format which can be read by snort later on.
- 'log' is name of log directory. This directory should be created before using the command.
Reading pcap files
To make snort process libpcap files instead of starting live capture we can use '-r' switch.
snort -vde -r log/<log_file_name>
Here:
- '-vde' is used to print headers on screen. They are not mandatory while reading packets from file.
- log file can be in pcap file format or snort specific binary format.
Specifying filters
We can specify packet filters for snort in the same way we specify for wireshark or tcpdump. For example we can use
snort -l log -b arp
to make snort log only arp packets. We can also use
snort -l log -b 'udp and port 53'
to make snort log only DNS queries/responses.
Here:
- '-b' is required only if log files should be generated in pcap format. We can also generate files in snort specific format which can be read only by snort.
- 'log' is name of directory where logs will be stored. We must create this directory before running the command.
Intrusion detection
We can run snort in intrusion detection mode using:
snort -c /etc/snort/snort.conf
Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Various snort modes