Next:
Snort Overview
Up:
SNORTUsers Manual 2.9.4
Previous:
SNORTUsers Manual 2.9.4
Contents
Snort Overview
Getting Started
Sniffer Mode
Packet Logger Mode
Network Intrusion Detection System Mode
NIDS Mode Output Options
Understanding Standard Alert Output
High Performance Configuration
Changing Alert Order
Packet Acquisition
Configuration
PCAP
AFPACKET
NFQ
IPQ
IPFW
Dump
Statistics Changes
Reading Pcaps
Command line arguments
Examples
Basic Output
Timing Statistics
Packet I/O Totals
Protocol Statistics
Actions, Limits, and Verdicts
Tunneling Protocol Support
Multiple Encapsulations
Logging
Miscellaneous
Running Snort as a Daemon
Running in Rule Stub Creation Mode
Obfuscating IP Address Printouts
Specifying Multiple-Instance Identifiers
Snort Modes
Control socket
Configure signal value
More Information
Configuring Snort
Includes
Format
Variables
Config
Preprocessors
Frag3
Stream5
sfPortscan
RPC Decode
Performance Monitor
HTTP Inspect
SMTP Preprocessor
POP Preprocessor
IMAP Preprocessor
FTP/Telnet Preprocessor
SSH
DNS
SSL/TLS
ARP Spoof Preprocessor
DCE/RPC 2 Preprocessor
Sensitive Data Preprocessor
Normalizer
SIP Preprocessor
Reputation Preprocessor
GTP Decoder and Preprocessor
Modbus Preprocessor
DNP3 Preprocessor
Decoder and Preprocessor Rules
Configuring
Reverting to original behavior
Event Processing
Rate Filtering
Event Filtering
Event Suppression
Event Logging
Performance Profiling
Rule Profiling
Preprocessor Profiling
Packet Performance Monitoring (PPM)
Output Modules
alert_syslog
alert_fast
alert_full
alert_unixsock
log_tcpdump
csv
unified
unified 2
log null
Log Limits
Host Attribute Table
Configuration Format
Attribute Table File Format
Attribute Table Example
Dynamic Modules
Format
Directives
Reloading a Snort Configuration
Enabling support
Reloading a configuration
Non-reloadable configuration options
Multiple Configurations
Creating Multiple Configurations
Configuration Specific Elements
How Configuration is applied?
Active Response
Enabling Active Response
Configure Sniping
Flexresp
React
Rule Actions
Writing Snort Rules
The Basics
Rules Headers
Rule Actions
Protocols
IP Addresses
Port Numbers
The Direction Operator
Activate/Dynamic Rules
Rule Options
General Rule Options
msg
reference
gid
sid
rev
classtype
priority
metadata
General Rule Quick Reference
Payload Detection Rule Options
content
nocase
rawbytes
depth
offset
distance
within
http_client_body
http_cookie
http_raw_cookie
http_header
http_raw_header
http_method
http_uri
http_raw_uri
http_stat_code
http_stat_msg
http_encode
fast_pattern
uricontent
urilen
isdataat
pcre
pkt_data
file_data
base64_decode
base64_data
byte_test
byte_jump
byte_extract
ftpbounce
asn1
cvs
dce_iface
dce_opnum
dce_stub_data
sip_method
sip_stat_code
sip_header
sip_body
gtp_type
gtp_info
gtp_version
ssl_version
ssl_state
Payload Detection Quick Reference
Non-Payload Detection Rule Options
fragoffset
ttl
tos
id
ipopts
fragbits
dsize
flags
flow
flowbits
seq
ack
window
itype
icode
icmp_id
icmp_seq
rpc
ip_proto
sameip
stream_reassemble
stream_size
Non-Payload Detection Quick Reference
Post-Detection Rule Options
logto
session
resp
react
tag
activates
activated_by
count
replace
detection_filter
Post-Detection Quick Reference
Rule Thresholds
Writing Good Rules
Content Matching
Catch the Vulnerability, Not the Exploit
Catch the Oddities of the Protocol in the Rule
Optimizing Rules
Testing Numerical Values
Dynamic Modules
Data Structures
DynamicPluginMeta
DynamicPreprocessorData
DynamicEngineData
SFSnortPacket
Dynamic Rules
Required Functions
Preprocessors
Detection Engine
Rules
Examples
Preprocessor Example
Rules
Snort Development
Submitting Patches
Snort Data Flow
Preprocessors
Detection Plugins
Output Plugins
Unified2 File Format
Serial Unified2 Header
Unified2 Packet
Unfied2 IDS Event
Unfied2 IDS Event IP6
Unfied2 IDS Event (Version 2)
Unified2 IDS Event IP6 (Version 2)
Unified2 Extra Data
Description of Fields
The Snort Team
Bibliography
Eugene Misnik 2013-05-08
