Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword or section
Like this
6Activity

Table Of Contents

1.1 Getting Started
1.2 Sniffer Mode
1.4.1 NIDS Mode Output Options
1.4.2 Understanding Standard Alert Output
1.4.3 High Performance Configuration
1.4.4 Changing Alert Order
1.5 Inline Mode
1.5.1 Snort Inline Rule Application Order
1.5.2 Replacing Packets with Snort Inline
1.5.3 Installing Snort Inline
1.5.4 Running Snort Inline
1.5.5 Using the Honeynet Snort Inline Toolkit
1.5.6 Troubleshooting Snort Inline
1.6 Miscellaneous
1.6.1 Running Snort as a Daemon
1.6.2 Running in Rule Stub Creation Mode
1.6.3 Obfuscating IP Address Printouts
1.6.4 Specifying Multiple-Instance Identifiers
1.7 Reading Pcaps
1.7.1 Command line arguments
1.7.2 Examples
1.8 Tunneling Protocol Support
1.8.1 Multiple Encapsulations
1.8.2 Logging
1.9 More Information
Configuring Snort
2.1 Includes
2.1.1 Format
2.1.2 Variables
2.1.3 Config
2.2 Preprocessors
2.2.1 Frag3
2.2.2 Stream5
2.2.3 sfPortscan
2.2.4 RPC Decode
2.2.5 Performance Monitor
2.2.6 HTTP Inspect
2.2.7 SMTP Preprocessor
2.2.8 FTP/Telnet Preprocessor
2.2.9 SSH
2.2.10 DCE/RPC
2.2.11 DNS
2.2.12 SSL/TLS
2.2.13 ARP Spoof Preprocessor
2.2.14 DCE/RPC 2 Preprocessor
2.2.15 Sensitive Data Preprocessor
2.3 Decoder and Preprocessor Rules
2.3.1 Configuring
2.3.2 Reverting to original behavior
2.4 Event Processing
2.4.1 Rate Filtering
2.4.2 Event Filtering
2.4.3 Event Suppression
2.4.4 Event Logging
2.5 Performance Profiling
2.5.1 Rule Profiling
2.5.2 Preprocessor Profiling
2.5.3 Packet Performance Monitoring (PPM)
2.6 Output Modules
2.6.1 alert syslog
2.6.2 alert fast
2.6.3 alert full
2.6.4 alert unixsock
2.6.5 log tcpdump
2.6.6 database
2.6.7 csv
2.6.8 unified
2.6.9 unified 2
2.6.10 alert prelude
2.6.11 log null
2.6.12 alert aruba action
2.6.13 Log Limits
2.7 Host Attribute Table
2.7.1 Configuration Format
2.7.2 Attribute Table File Format
2.8 Dynamic Modules
2.8.1 Format
2.8.2 Directives
2.9 Reloading a Snort Configuration
2.9.1 Enabling support
2.9.2 Reloading a configuration
2.9.3 Non-reloadable configuration options
Non-reloadable configuration options of note:
2.10 Multiple Configurations
2.10.1 Creating Multiple Configurations
2.10.2 Configuration Specific Elements
2.10.3 How Configuration is applied?
Writing Snort Rules
3.1 The Basics
3.2 Rules Headers
3.2.1 Rule Actions
3.2.2 Protocols
3.2.3 IP Addresses
3.2.4 Port Numbers
3.2.5 The Direction Operator
3.2.6 Activate/Dynamic Rules
3.3 Rule Options
3.4 General Rule Options
3.4.1 msg
3.4.2 reference
3.4.3 gid
3.4.4 sid
3.4.5 rev
3.4.6 classtype
3.4.7 priority
3.4.8 metadata
3.4.9 General Rule Quick Reference
3.5 Payload Detection Rule Options
3.5.1 content
3.5.2 nocase
3.5.3 rawbytes
3.5.4 depth
3.5.5 offset
3.5.6 distance
3.5.7 within
3.5.8 http client body
3.5.9 http cookie
3.5.10 http raw cookie
3.5.11 http header
3.5.12 http raw header
3.5.13 http method
3.5.14 http uri
3.5.15 http raw uri
3.5.16 http stat code
3.5.17 http stat msg
3.5.18 http encode
3.5.19 fast pattern
3.5.20 uricontent
3.5.21 urilen
3.5.22 isdataat
3.5.23 pcre
3.5.24 file data
3.5.25 byte test
3.5.26 byte jump
3.5.27 ftpbounce
3.5.28 asn1
3.5.29 cvs
3.5.30 dce iface
3.5.31 dce opnum
3.5.32 dce stub data
3.5.33 Payload Detection Quick Reference
3.6 Non-Payload Detection Rule Options
3.6.1 fragoffset
3.6.2 ttl
3.6.3 tos
3.6.4 id
3.6.5 ipopts
3.6.6 fragbits
3.6.7 dsize
3.6.8 flags
3.6.9 flow
3.6.10 flowbits
3.6.11 seq
3.6.12 ack
3.6.13 window
3.6.14 itype
3.6.15 icode
3.6.16 icmp id
3.6.17 icmp seq
3.6.18 rpc
3.6.19 ip proto
3.6.20 sameip
3.6.21 stream size
3.6.22 Non-Payload Detection Quick Reference
3.7 Post-Detection Rule Options
3.7.1 logto
3.7.2 session
3.7.3 resp
3.7.4 react
3.7.5 tag
3.7.6 activates
3.7.7 activated by
3.7.8 count
3.7.9 replace
3.7.10 detection filter
3.7.11 Post-Detection Quick Reference
3.8 Rule Thresholds
3.9 Writing Good Rules
3.9.1 Content Matching
3.9.2 Catch the Vulnerability, Not the Exploit
3.9.3 Catch the Oddities of the Protocol in the Rule
3.9.4 Optimizing Rules
3.9.5 Testing Numerical Values
4.1 MMAPed pcap
5.1 Data Structures
5.1.1 DynamicPluginMeta
5.1.2 DynamicPreprocessorData
5.1.3 DynamicEngineData
5.1.4 SFSnortPacket
5.1.5 Dynamic Rules
5.2 Required Functions
5.2.1 Preprocessors
5.2.2 Detection Engine
5.2.3 Rules
5.3 Examples
5.3.1 Preprocessor Example
5.3.2 Rules
6.1 Submitting Patches
6.2 Snort Data Flow
6.2.1 Preprocessors
6.2.2 Detection Plugins
6.2.3 Output Plugins
6.3 The Snort Team
0 of .
Results for:
No results containing your search query
P. 1
Snort Manual 2 8 6

Snort Manual 2 8 6

Ratings: (0)|Views: 297 |Likes:
Published by momitza

More info:

Published by: momitza on Aug 01, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

02/15/2013

pdf

text

original

You're Reading a Free Preview
Pages 4 to 9 are not shown in this preview.
You're Reading a Free Preview
Pages 12 to 191 are not shown in this preview.

Activity (6)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Don Winans liked this
drober liked this
bstultz liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->