Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword or section
Like this
1Activity

Table Of Contents

Snort Overview
1.1 Getting Started
1.2 Sniffer Mode
1.3 Packet Logger Mode
1.4 Network Intrusion Detection System Mode
1.4.1 NIDS Mode Output Options
1.4.2 Understanding Standard Alert Output
1.4.3 High Performance Configuration
1.4.4 Changing Alert Order
1.5 Packet Acquisition
1.5.1 Configuration
1.5.2 PCAP
1.6.2 Examples
1.7 Basic Output
1.7.1 Timing Statistics
1.7.2 Packet I/O Totals
1.7.3 Protocol Statistics
1.8 Tunneling Protocol Support
1.8.1 Multiple Encapsulations
1.8.2 Logging
1.9 Miscellaneous
1.9.1 Running Snort as a Daemon
1.9.2 Running in Rule Stub Creation Mode
1.9.3 Obfuscating IP Address Printouts
1.9.4 Specifying Multiple-Instance Identifiers
1.9.5 Snort Modes
1.10 More Information
Configuring Snort
2.1 Includes
2.1.1 Format
2.1.2 Variables
2.1.3 Config
2.2.1 Frag3
2.2.2 Stream5
2.2.3 sfPortscan
2.2.4 RPC Decode
2.2.5 Performance Monitor
2.2.6 HTTP Inspect
2.2.7 SMTP Preprocessor
2.2.8 POP Preprocessor
2.2.9 IMAP Preprocessor
2.2.10 FTP/Telnet Preprocessor
2.2.11 SSH
2.2.12 DNS
2.2.13 SSL/TLS
2.2.14 ARP Spoof Preprocessor
2.2.15 DCE/RPC 2 Preprocessor
2.2.16 Sensitive Data Preprocessor
2.2.17 Normalizer
2.2.18 SIP Preprocessor
2.2.19 Reputation Preprocessor
2.3 Decoder and Preprocessor Rules
2.3.1 Configuring
2.3.2 Reverting to original behavior
2.4 Event Processing
2.4.1 Rate Filtering
2.4.2 Event Filtering
2.4.3 Event Suppression
2.4.4 Event Logging
2.5 Performance Profiling
2.5.1 Rule Profiling
2.5.2 Preprocessor Profiling
2.5.3 Packet Performance Monitoring (PPM)
2.6 Output Modules
2.6.1 alert syslog
2.6.2 alert fast
2.6.3 alert full
2.6.4 alert unixsock
2.6.5 log tcpdump
2.6.6 database
2.6.7 csv
2.6.8 unified
2.6.9 unified 2
2.6.10 alert prelude
2.6.11 log null
2.6.12 alert aruba action
2.6.13 Log Limits
2.7 Host Attribute Table
2.7.1 Configuration Format
2.7.2 Attribute Table File Format
2.7.3 Attribute Table Example
2.8 Dynamic Modules
2.8.1 Format
2.8.2 Directives
2.9 Reloading a Snort Configuration
2.9.1 Enabling support
2.9.2 Reloading a configuration
2.9.3 Non-reloadable configuration options
Reloadable configuration options of note:
Non-reloadable configuration options of note:
2.10 Multiple Configurations
2.10.1 Creating Multiple Configurations
2.10.2 Configuration Specific Elements
2.10.3 How Configuration is applied?
2.11 Active Response
2.11.1 Enabling Active Response
2.11.2 Configure Sniping
2.11.3 Flexresp
2.11.4 React
2.11.5 Rule Actions
Writing Snort Rules
3.1 The Basics
3.2 Rules Headers
3.2.1 Rule Actions
3.2.2 Protocols
3.2.3 IP Addresses
3.2.4 Port Numbers
3.2.5 The Direction Operator
3.2.6 Activate/Dynamic Rules
3.3 Rule Options
3.4 General Rule Options
3.4.1 msg
3.4.2 reference
3.4.3 gid
3.4.4 sid
3.4.5 rev
3.4.6 classtype
3.4.7 priority
3.4.8 metadata
3.4.9 General Rule Quick Reference
3.5 Payload Detection Rule Options
3.5.1 content
3.5.2 nocase
3.5.3 rawbytes
3.5.4 depth
3.5.5 offset
3.5.6 distance
3.5.7 within
3.5.8 http client body
3.5.9 http cookie
3.5.10 http raw cookie
3.5.11 http header
3.5.12 http raw header
3.5.13 http method
3.5.14 http uri
3.5.15 http raw uri
3.5.16 http stat code
3.5.17 http stat msg
3.5.18 http encode
3.5.19 fast pattern
3.5.20 uricontent
3.5.21 urilen
3.5.22 isdataat
3.5.23 pcre
3.5.24 pkt data
3.5.25 file data
3.5.26 base64 decode
3.5.27 base64 data
3.5.28 byte test
3.5.29 byte jump
3.5.30 byte extract
3.5.31 ftpbounce
3.5.32 asn1
3.5.33 cvs
3.5.34 dce iface
3.5.35 dce opnum
3.5.36 dce stub data
3.5.37 sip method
3.5.38 sip stat code
3.5.39 sip header
3.5.40 sip body
3.5.41 ssl version
3.5.42 ssl state
3.5.43 Payload Detection Quick Reference
3.6 Non-Payload Detection Rule Options
3.6.1 fragoffset
3.6.2 ttl
3.6.3 tos
3.6.4 id
3.6.5 ipopts
3.6.6 fragbits
3.6.7 dsize
3.6.8 flags
3.6.9 flow
3.6.10 flowbits
3.6.11 seq
3.6.12 ack
3.6.13 window
3.6.14 itype
3.6.15 icode
3.6.16 icmp id
3.6.17 icmp seq
3.6.18 rpc
3.6.19 ip proto
3.6.20 sameip
3.6.21 stream reassemble
3.6.22 stream size
3.6.23 Non-Payload Detection Quick Reference
3.7 Post-Detection Rule Options
3.7.1 logto
3.7.2 session
3.7.3 resp
3.7.4 react
3.7.5 tag
3.7.6 activates
3.7.7 activated by
3.7.8 count
3.7.9 replace
3.7.10 detection filter
3.9.5 Testing Numerical Values
Dynamic Modules
4.1 Data Structures
4.1.1 DynamicPluginMeta
4.1.2 DynamicPreprocessorData
4.1.3 DynamicEngineData
4.1.4 SFSnortPacket
4.1.5 Dynamic Rules
4.2.2 Detection Engine
4.2.3 Rules
4.3 Examples
4.3.1 Preprocessor Example
4.3.2 Rules
Snort Development
5.1 Submitting Patches
5.2 Snort Data Flow
5.2.1 Preprocessors
5.2.2 Detection Plugins
5.2.3 Output Plugins
5.3 The Snort Team
0 of .
Results for:
No results containing your search query
P. 1
Snort Manual

Snort Manual

Ratings: (0)|Views: 150 |Likes:
Published by ndhoang

More info:

Published by: ndhoang on Oct 03, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/03/2011

pdf

text

original

You're Reading a Free Preview
Pages 5 to 15 are not shown in this preview.
You're Reading a Free Preview
Pages 20 to 36 are not shown in this preview.
You're Reading a Free Preview
Pages 41 to 197 are not shown in this preview.
You're Reading a Free Preview
Pages 202 to 207 are not shown in this preview.
You're Reading a Free Preview
Pages 212 to 219 are not shown in this preview.

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->