Scribd
Upload
61 views2 pages

Snort Cheatsheet 1647445722

This document provides a summary of commands for using the Snort intrusion detection and prevention system in different modes: - Sniffer mode commands are for sniffing network traffic including options to display packet details. - Logger mode commands specify logging options like the log file path or log format. - IDS/IPS mode runs Snort using a configuration file to detect intrusions and can output alerts to the console, file, or none. - PCAP processing commands allow loading pcap files to analyze offline and show processed file names. - Global commands display version information or specify interfaces.

Uploaded by

Cafenet Spy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
61 views2 pages

Snort Cheatsheet 1647445722

This document provides a summary of commands for using the Snort intrusion detection and prevention system in different modes: - Sniffer mode commands are for sniffing network traffic including options to display packet details. - Logger mode commands specify logging options like the log file path or log format. - IDS/IPS mode runs Snort using a configuration file to detect intrusions and can output alerts to the console, file, or none. - PCAP processing commands allow loading pcap files to analyze offline and show processed file names. - Global commands display version information or specify interfaces.

Uploaded by

Cafenet Spy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

SNORT 101

Global Commands
Display version:
Snort -V
Snort -version
Do not display the version banner:
Snort -q
Use specific inetrface:
Snort -i eth0

1
1 0

0 1 01
1 11
0

0 10 0 1 0 0
0

1 1 1
0
1 01 0 0
1
0
0 0
10 01 11 1
1
1 0
1
0
1 0
1

0
0
1
01
0

Sniffer Mode Logger Mode


Verbose mode: Default log path :
Snort -v /var/log/snort

Display link-layer headers: Use alternative log path:


Snort -e Snort -v -l /home/username/Desktop

Display data payload: Log in ASCII format:


Snort -d Snort-v -K ASCII

Display full packet details in HEX: Read snort files: LOG


Snort -X Snort -v -r snort.log

Default Log path ->


Multiple flag usage. Display all packet Read “N” number of packets:
/var/log/snort"
details: Snort -v -r snort.log -n 10
Snort -eX
Filter packets with “Berkeley Packet Filters”
Sniff “N” number of packets: (BPF):
Snort -v -n 10 Snort -v -r snort.log tcp
Snort -v -r snort.log ‘udp and port 53’

IDS/IPS Mode
1010111
 
 
 
 

Use configuration file:


PCAP Processing Snort -c /etc/snort/snort.conf

Test instance and configuration file:


Process single pcap file: Snort -c /etc/snort/snort.conf -T
Snort -c /etc/snort/snort.conf -q -r file.pcap -A console
Disable logging:
Process multiple pcap files: Snort -c /etc/snort/snort.conf -N
Snort -c /etc/snort/snort.conf -q --pcap-list= "file1.pcap
file2.pcap" -A console
Run Snort in background:
Snort -c /etc/snort/snort.conf -D

Process pcaps from folder: Alert mode 1 | No output:


Snort -c /etc/snort/snort.conf -q --pcap-dir=/home/pcap-folder Snort -c /etc/snort/snort.conf -v -A none
-A console
Alert mode 2 | Console output 1:
Show processed pcap name: Snort -c /etc/snort/snort.conf -v -A console
Snort -c /etc/snort/snort.conf -q --pcap-list="file1.pcap
file2.pcap" -A console --pcap-show
Alert mode 2 | Console output 2:
Snort -c /etc/snort/snort.conf -v -A cmg

Alert mode 3 | File output 1:


Snort -c /etc/snort/snort.conf -v -A fast

Alert mode 3 | File output 2:


Snort -c /etc/snort/snort.conf -v -A full

Use rules without configuration file:


Snort -c /etc/snort/rules/local.rules -v -A console
Snort Rule
Breakdown
Destination Destination
Action Protocol Source IP Source Port Direction
IP Port

Rule Header Rule Options


Payload Non-Payload
General Rule Post-Detection
Detection Detection Rule
Options Rule Options Options Rule Options

RU
LE
S

Snort rules are composed


of two logical parts;
Example Rule
Alert rule for possible “Directory Traversal Attempt” detection.
Rule Header:
This part contains network-based information; action,
protocol, source and destination IP addresses, port
numbers, and traffic direction.
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
msg:"Directory Traversal Attempt!";
flow:established;
nocase; content:"HTTP"; fast_pattern; content:"| 2E 2E 2F|"; content:"/..";
session:all;
Rule Options: reference:CVE,XXX;
sid:100001; rev:1;)
This part contains packet-based investigation details;
message, reference, flow and content.

Action alert Action, this option tells Snort what to do in a rule match
Protocol tcp Protocol to be analysed. Supported protocols: TCP, UDP, ICMP, IP.
Source IP $EXTERNAL_NET Source IP addresses.
any
Rule HeadEr Source Port
Direction ->
Source ports.
Direction operator. Identify the orientation of traffic.
Destination IP $HOME_NET Destination IP addresses.
Destination Port $HTTP_PORTS Destination ports.
Message msg Display message for rule match.
GeneRal
Rule Reference reference Provide additional information or reference for the rule.
Rule id sid Unique rule number.
OptiOns
Revision info rev Revision information for the rule.

Rule Non-pAyloAd
Flow flow TCP stream direction.
Rule OptiOns
OptiOns
Nocase nocase Disable case sensitivity to enhance the content match.
PaylOad
DeteCtioN Rule Content content Filter the payload data and look for an exact match.
OptiOns Prioritise the content search to speed up the payload search.
Fast-pattern fast-pattern This option is required when using multiple “content” options.
Post-dEtecTion
Rule oPtioNs Session session Extract user data from TCP sessions.

https://tryhackme.com/room/snort

You might also like