Scribd
Upload
66 views

Snort Cheatsheet

This document provides a summary of commands for using the Snort intrusion detection and prevention system in different modes: - Sniffer mode commands are for sniffing network traffic including options to display packet details. - Logger mode commands specify logging options like the log file path or log format. - IDS/IPS mode runs Snort using a configuration file to detect intrusions and can output alerts to the console or log files. - PCAP processing commands allow loading pcap files to analyze captured network traffic offline. - Global commands display version information or set options like the network interface.

Uploaded by

Gaétan NG
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
66 views

Snort Cheatsheet

This document provides a summary of commands for using the Snort intrusion detection and prevention system in different modes: - Sniffer mode commands are for sniffing network traffic including options to display packet details. - Logger mode commands specify logging options like the log file path or log format. - IDS/IPS mode runs Snort using a configuration file to detect intrusions and can output alerts to the console or log files. - PCAP processing commands allow loading pcap files to analyze captured network traffic offline. - Global commands display version information or set options like the network interface.

Uploaded by

Gaétan NG
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

SNORT 101

Global Commands
Display version:
Snort -V
Snort -version
Do not display the version banner:
Snort -q
Use specific inetrface:
Snort -i eth0

1
1 0

0 1 01
1 11
0

0 10 0 1 0 0
0

1 1 1
0
1 01 0 0
1
0
0 0
10 01 11 1
1
1 0
1
0
1 0
1

0
0
1
01
0

Sniffer Mode Logger Mode


Verbose mode: Default log path :
Snort -v /var/log/snort

Display link-layer headers: Use alternative log path:


Snort -e Snort -v -l /home/username/Desktop

Display data payload: Log in ASCII format:


Snort -d Snort-v -K ASCII

Display full packet details in HEX: Read snort files: LOG


Snort -X Snort -v -r snort.log

Default Log path ->


Multiple flag usage. Display all packet Read “N” number of packets:
/var/log/snort"
details: Snort -v -r snort.log -n 10
Snort -eX
Filter packets with “Berkeley Packet Filters”
Sniff “N” number of packets: (BPF):
Snort -v -n 10 Snort -v -r snort.log tcp
Snort -v -r snort.log ‘udp and port 53’

IDS/IPS Mode
1010111
 
 
 
 

Use configuration file:


PCAP Processing Snort -c /etc/snort/snort.conf

Test instance and configuration file:


Process single pcap file: Snort -c /etc/snort/snort.conf -T
Snort -c /etc/snort/snort.conf -q -r file.pcap -A console
Disable logging:
Process multiple pcap files: Snort -c /etc/snort/snort.conf -N
Snort -c /etc/snort/snort.conf -q --pcap-list= "file1.pcap
file2.pcap" -A console
Run Snort in background:
Snort -c /etc/snort/snort.conf -D

Process pcaps from folder: Alert mode 1 | No output:


Snort -c /etc/snort/snort.conf -q --pcap-dir=/home/pcap-folder Snort -c /etc/snort/snort.conf -v -A none
-A console
Alert mode 2 | Console output 1:
Show processed pcap name: Snort -c /etc/snort/snort.conf -v -A console
Snort -c /etc/snort/snort.conf -q --pcap-list="file1.pcap
file2.pcap" -A console --pcap-show
Alert mode 2 | Console output 2:
Snort -c /etc/snort/snort.conf -v -A cmg

Alert mode 3 | File output 1:


Snort -c /etc/snort/snort.conf -v -A fast

Alert mode 3 | File output 2:


Snort -c /etc/snort/snort.conf -v -A full

Use rules without configuration file:


Snort -c /etc/snort/rules/local.rules -v -A console
Snort Rule
Breakdown
Destination Destination
Action Protocol Source IP Source Port Direction
IP Port

Rule Header Rule Options


Payload Non-Payload
General Rule Post-Detection
Detection Detection Rule
Options Rule Options Options Rule Options

RU
LE
S

Snort rules are composed


of two logical parts;
Example Rule
Alert rule for possible “Directory Traversal Attempt” detection.
Rule Header:
This part contains network-based information; action,
protocol, source and destination IP addresses, port
numbers, and traffic direction.
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
msg:"Directory Traversal Attempt!";
flow:established;
nocase; content:"HTTP"; fast_pattern; content:"| 2E 2E 2F|"; content:"/..";
session:all;
Rule Options: reference:CVE,XXX;
sid:100001; rev:1;)
This part contains packet-based investigation details;
message, reference, flow and content.

Action alert Action, this option tells Snort what to do in a rule match
Protocol tcp Protocol to be analysed. Supported protocols: TCP, UDP, ICMP, IP.
Source IP $EXTERNAL_NET Source IP addresses.
any
Rule HeadEr Source Port
Direction ->
Source ports.
Direction operator. Identify the orientation of traffic.
Destination IP $HOME_NET Destination IP addresses.
Destination Port $HTTP_PORTS Destination ports.
Message msg Display message for rule match.
GeneRal
Rule Reference reference Provide additional information or reference for the rule.
Rule id sid Unique rule number.
OptiOns
Revision info rev Revision information for the rule.

Rule Non-pAyloAd
Flow flow TCP stream direction.
Rule OptiOns
OptiOns
Nocase nocase Disable case sensitivity to enhance the content match.
PaylOad
DeteCtioN Rule Content content Filter the payload data and look for an exact match.
OptiOns Prioritise the content search to speed up the payload search.
Fast-pattern fast-pattern This option is required when using multiple “content” options.
Post-dEtecTion
Rule oPtioNs Session session Extract user data from TCP sessions.

https://tryhackme.com/room/snort

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy