Free and lightweight network intrusion detection system (NIDS) software (Command line tool)
snort command added to $PATH
Community Rules preloaded (not updated automatically)
config files in /opt/SNORT/etc
no auto launch, need to be set by yourself withing /opt/SNORT/SNORT.sh
[~] # snort --help
,,_ -*> Snort! <*-
o" )~ Version 188.8.131.52 GRE (Build 268)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.10.0-PRE-GIT (with TPACKET_V3)
Using PCRE version: 8.42 2018-03-20
Using ZLIB version: 1.2.11
USAGE: snort [-options]
-A Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b Log packets in tcpdump format (much faster!)
-B Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c Use Rules File
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
-F Read BPF filters from file
-g Run snort gid as group (or gid) after initialization
-G <0xid> Log Identifier (to uniquely id events for multiple snorts)
-h Set home network =
(for use with -l or -B, does NOT change $HOME_NET in IDS mode)
-H Make hash tables deterministic.
-i Listen on interface
-I Add Interface name to alert output
-k Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K Logging mode (pcap[default],ascii,none)
-l Log to directory
-L Log to this tcpdump file
-M Log messages to syslog (not alerts)
-m Set umask =
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-Q Enable inline mode operation.
-r Read and process tcpdump file
-R Include 'id' in snort_intf.pid file name
-s Log alert messages to syslog
-S Set rules file variable n equal to value v
-t Chroots process to after initialization
-T Test and report on the current Snort configuration
-u Run snort uid as user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-X Dump the raw packet data starting at the link layer
-x Exit if Snort configuration problems occur
-y Include year in timestamp in the alert and log files
-Z Set the performonitor preprocessor file path and name
-? Show this information
are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid> Same as -G
--perfmon-file Same as -Z
--pid-path Specify the directory for the Snort PID file
--snaplen Same as -P
--help Same as -?
--version Same as -V
--alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup
--treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline.
--process-all-events Process all queued events (drop, alert,...), default stops after 1st action group
--enable-inline-test Enable Inline-Test Mode Operation
--dynamic-engine-lib Load a dynamic detection engine
--dynamic-engine-lib-dir Load all dynamic engines from directory
--dynamic-detection-lib Load a dynamic rules library
--dynamic-detection-lib-dir Load all dynamic rules libraries from directory
--dump-dynamic-rules Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib Load a dynamic preprocessor library
--dynamic-preprocessor-lib-dir Load all dynamic preprocessor libraries from directory
--dynamic-output-lib Load a dynamic output library
--dynamic-output-lib-dir Load all dynamic output libraries from directory
--create-pidfile Create PID file, even when not in Daemon mode
--nolock-pidfile Do not try to lock Snort PID file
--no-interface-pidfile Do not include the interface name in Snort PID file
--disable-attribute-reload-thread Do not create a thread to reload the attribute table
--pcap-single Same as -r.
--pcap-file file that contains a list of pcaps to read - read mode is implied.
--pcap-list "" a space separated list of pcaps to read - read mode is implied.
--pcap-dir a directory to recurse to look for pcaps - read mode is implied.
--pcap-filter filter to apply when getting pcaps from file or directory.
--pcap-no-filter reset to use no filter when getting pcaps from file or directory.
--pcap-loop this option will read the pcaps specified on command line continuously.
for times. A value of 0 will read until Snort is terminated.
--pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pca p.
--pcap-reload if reading multiple pcaps, reload snort config between pcaps.
--pcap-show print a line saying what pcap is currently being read.
--exit-check Signal termination after callbacks from DAQ_Acquire(), showing the time it
takes from signaling until DAQ_Stop() is called.
--conf-error-out Same as -x
--enable-mpls-multicast Allow multicast MPLS
--enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds
--max-mpls-labelchain-len Specify the max MPLS label chain
--mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
--require-rule-sid Require that all snort rules have SID specified.
--daq Select packet acquisition module (default is pcap).
--daq-mode Select the DAQ operating mode.
--daq-var Specify extra DAQ configuration variable.
--daq-dir Tell snort where to find desired DAQ.
--daq-list[=] List packet acquisition modules available in dir. Default is static modules only.
--dirty-pig Don't flush packets and release memory on shutdown.
--cs-dir Directory to use for control socket.
--ha-peer Activate live high-availability state sharing with peer.
--ha-out Write high-availability events to this file.
--ha-in Read high-availability events from this file on startup (warm-start).
--suppress-config-log Suppress configuration information output.