Scribd
Upload
1K views

Snort Cheat Sheet

Snort can operate in three main modes: 1) Sniffer mode - Sniff packets and output them to standard output or log files. Various options allow viewing packet headers, payloads, and formatting. 2) NIDS mode - Use a configuration file and rules to process captured packets and generate alerts. Options specify the config file, testing rules, and alert output. 3) Logger mode - Log packets to files in tcpdump format. Options specify the log directory and format.

Uploaded by

Ihsan Ibrahim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views

Snort Cheat Sheet

Snort can operate in three main modes: 1) Sniffer mode - Sniff packets and output them to standard output or log files. Various options allow viewing packet headers, payloads, and formatting. 2) NIDS mode - Use a configuration file and rules to process captured packets and generate alerts. Options specify the config file, testing rules, and alert output. 3) Logger mode - Log packets to files in tcpdump format. Options specify the log directory and format.

Uploaded by

Ihsan Ibrahim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Sniffer Mode

Sniff packets and send to standard output as a dump file


Snort Cheat Sheet
-v (verbose) Display output on the screen
Output Default Directory /var/snort/log
–e Display link layer headers

–d Display packet data payload NIDS Mode


–x Display full packet with headers in HEX format Use the specified file as config file and apply
rules to process captured packets

Packet Logger Mode –c Define configuration file path

Input output to a log file


–T Use to test the configuration file including rules

-r Use to read back the log file content using snort

Logger Mode command line options


–l (directory name) Log to a directory as a tcpdump file format

-l logdir Log packets in tcp dump


–k (ASCII) Display output as ASCII format

-K ASCII Log in ASCII format

Snort Rules Format


NIDS Mode Options
Rule Header + (Rule Options) Define a configuration file -c ( Configuration file name)

Check the rule syntax and


Action - Protocol - Source/Destination IP's - -T –c (Configuration file name )
format for accuracy
Source/Destination Ports - Direction of the flow
Alternate alert modes -A (Mode : Full, Fast, None ,Console)

alert udp !10.1.1.0/24 any -> Alert to syslog -s


Alert Example
10.2.0.0/24 any
Print alert information -v

alert, log, pass, activate, dynamic, Send SMB alert to PC -M (PC name or IP address)
Actions
drop, reject, sdrop
ASCII log mode -K

Protocols TCP, UDP, ICMP, IP No logging -N

Run in Background -D
Snort Rule Example
Listen to a specific network
-i
log tcp !10.1.1.0/24 any -> 10.1.1.100 (msg: "ftp access";) interface

You might also like