Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword or section
Like this
1Activity

Table Of Contents

Snort Overview
1.1 Getting Started
1.2 Sniffer Mode
1.3 Packet Logger Mode
1.4 Network Intrusion Detection System Mode
1.4.1 NIDS Mode Output Options
1.4.2 Understanding Standard Alert Output
1.4.3 High Performance Configuration
1.4.4 Changing Alert Order
1.5 Inline Mode
1.5.1 Snort Inline Rule Application Order
1.5.2 New STREAM4 Options for Use with Snort Inline
1.5.3 Replacing Packets with Snort Inline
1.5.4 Installing Snort Inline
1.5.5 Running Snort Inline
1.5.6 Using the Honeynet Snort Inline Toolkit
1.5.7 Troubleshooting Snort Inline
1.6 Miscellaneous
1.6.1 Running in Daemon Mode
1.6.2 Obfuscating IP Address Printouts
1.6.3 Specifying Multiple-Instance Identifiers
1.7 Reading Pcaps
1.7.1 Command line arguments
1.7.2 Examples
1.8 Tunneling Protocol Support
1.8.1 Multiple Encapsulations
1.8.2 Logging
1.9 More Information
Configuring Snort
2.0.1 Includes
2.0.2 Variables
2.0.3 Config
2.1 Preprocessors
2.1.1 Frag3
2.1.2 Stream4
2.1.3 Flow
2.1.4 Stream5
2.1.5 sfPortscan
2.1.6 RPC Decode
2.1.7 Performance Monitor
2.1.8 HTTP Inspect
2.1.9 SMTP Preprocessor
2.1.10 FTP/Telnet Preprocessor
2.1.11 SSH
2.1.12 DCE/RPC
2.1.13 DNS
2.1.14 SSL/TLS
2.1.15 ARP Spoof Preprocessor
2.2 Decoder and Preprocessor Rules
2.2.1 Configuring
2.2.2 Reverting to original behavior
2.2.3 Suppression and Thresholding
2.3 Event Thresholding
2.4 Performance Profiling
2.4.1 Rule Profiling
2.4.2 Preprocessor Profiling
2.4.3 Packet Performance Monitoring (PPM)
2.5 Output Modules
2.5.1 alert syslog
2.5.2 alert fast
2.5.3 alert full
2.5.4 alert unixsock
2.5.5 log tcpdump
2.5.6 database
2.5.7 csv
2.5.8 unified
2.5.9 unified 2
2.5.11 log null
2.6 Host Attribute Table
2.6.1 Configuration Format
2.6.2 Attribute Table File Format
2.7 Dynamic Modules
2.7.1 Format
Writing Snort Rules:
3.1 The Basics
3.2 Rules Headers
3.2.1 Rule Actions
3.2.2 Protocols
3.2.3 IP Addresses
3.2.4 Port Numbers
3.2.5 The Direction Operator
3.2.6 Activate/Dynamic Rules
3.3 Rule Options
3.4 General Rule Options
3.4.1 msg
3.4.2 reference
3.4.3 gid
3.4.4 sid
3.4.5 rev
3.4.6 classtype
3.4.7 priority
3.4.9 General Rule Quick Reference
3.5 Payload Detection Rule Options
3.5.1 content
3.5.2 nocase
3.5.3 rawbytes
3.5.4 depth
3.5.5 offset
3.5.6 distance
3.5.7 within
3.5.8 http client body
3.5.9 http uri
3.5.10 uricontent
3.5.11 urilen
3.5.12 isdataat
3.5.13 pcre
3.5.14 byte test
3.5.15 byte jump
3.5.16 ftpbounce
3.5.17 asn1
3.5.18 cvs
3.5.19 Payload Detection Quick Reference
3.6 Non-Payload Detection Rule Options
3.6.1 fragoffset
3.6.2 ttl
3.6.3 tos
3.6.4 id
3.6.5 ipopts
3.6.6 fragbits
3.6.7 dsize
3.6.8 flags
3.6.9 flow
3.6.10 flowbits
3.6.11 seq
3.6.12 ack
3.6.13 window
3.6.14 itype
3.6.15 icode
3.6.16 icmp id
3.6.17 icmp seq
3.6.18 rpc
3.6.19 ip proto
3.6.20 sameip
3.6.21 stream size
3.6.22 Non-Payload Detection Quick Reference
3.7 Post-Detection Rule Options
3.7.1 logto
3.7.2 session
3.7.3 resp
3.7.4 react
3.7.5 tag
3.7.6 activates
3.7.7 activated by
3.7.8 count
3.7.9 Post-Detection Quick Reference
3.8 Event Thresholding
3.8.1 Standalone Options
3.8.2 Standalone Format
3.8.3 Rule Keyword Format
3.8.4 Rule Keyword Format
3.8.5 Examples
3.9 Event Suppression
3.9.1 Format
3.9.2 Examples
3.10 Snort Multi-Event Logging (Event Queue)
3.10.1 Event Queue Configuration Options
3.10.2 Event Queue Configuration Examples
3.11 Writing Good Rules
3.11.1 Content Matching
3.11.2 Catch the Vulnerability, Not the Exploit
3.11.3 Catch the Oddities of the Protocol in the Rule
3.11.4 Optimizing Rules
3.11.5 Testing Numerical Values
Making Snort Faster
4.1 MMAPed pcap
Dynamic Modules
5.1 Data Structures
5.1.1 DynamicPluginMeta
5.1.2 DynamicPreprocessorData
5.1.3 DynamicEngineData
5.1.4 SFSnortPacket
5.1.5 Dynamic Rules
5.2 Required Functions
5.2.1 Preprocessors
5.2.2 Detection Engine
5.2.3 Rules
5.3 Examples
5.3.1 Preprocessor Example
5.3.2 Rules
Snort Development
6.1 Submitting Patches
6.2 Snort Data Flow
6.2.1 Preprocessors
6.2.2 Detection Plugins
6.2.3 Output Plugins
6.3 The Snort Team
0 of .
Results for:
No results containing your search query
P. 1
snort_manual

snort_manual

Ratings: (0)|Views: 36 |Likes:
Published by Luis Riobueno

More info:

Published by: Luis Riobueno on Feb 19, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/15/2011

pdf

text

original

You're Reading a Free Preview
Pages 4 to 101 are not shown in this preview.
You're Reading a Free Preview
Pages 103 to 164 are not shown in this preview.

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->