Scribd Logo
Upload

Welcome to Scribd!

  • Snort Cheatsheet 1647445722

    Uploaded by

    Cafenet Spy
    19 views2 pages
    This document provides a summary of commands for using the Snort intrusion detection and prevention system in different modes: - Sniffer mode commands are for sniffing network traffic including options to display packet details. - Logger mode commands specify logging options like the log file path or log format. - IDS/IPS mode runs Snort using a configuration file to detect intrusions and can output alerts to the console, file, or none. - PCAP processing commands allow loading pcap files to analyze offline and show processed file names. - Global commands display version information or specify interfaces.

    Original Description:

    Snort cheatsheet

    Original Title

    Snort_Cheatsheet_1647445722

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a summary of commands for using the Snort intrusion detection and prevention system in different modes: - Sniffer mode commands are for sniffing network traffic including options to display packet details. - Logger mode commands specify logging options like the log file path or log format. - IDS/IPS mode runs Snort using a configuration file to detect intrusions and can output alerts to the console, file, or none. - PCAP processing commands allow loading pcap files to analyze offline and show processed file names. - Global commands display version information or specify interfaces.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views2 pages

    Snort Cheatsheet 1647445722

    Uploaded by

    Cafenet Spy
    This document provides a summary of commands for using the Snort intrusion detection and prevention system in different modes: - Sniffer mode commands are for sniffing network traffic including options to display packet details. - Logger mode commands specify logging options like the log file path or log format. - IDS/IPS mode runs Snort using a configuration file to detect intrusions and can output alerts to the console, file, or none. - PCAP processing commands allow loading pcap files to analyze offline and show processed file names. - Global commands display version information or specify interfaces.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    SNORT 101

    Global Commands
    Display version:
    Snort -V
    Snort -version
    Do not display the version banner:
    Snort -q
    Use specific inetrface:
    Snort -i eth0

    1
    1 0

    0 1 01
    1 11
    0

    0 10 0 1 0 0
    0

    1 1 1
    0
    1 01 0 0
    1
    0
    0 0
    10 01 11 1
    1
    1 0
    1
    0
    1 0
    1

    0
    0
    1
    01
    0

    Sniffer Mode Logger Mode


    Verbose mode: Default log path :
    Snort -v /var/log/snort

    Display link-layer headers: Use alternative log path:


    Snort -e Snort -v -l /home/username/Desktop

    Display data payload: Log in ASCII format:


    Snort -d Snort-v -K ASCII

    Display full packet details in HEX: Read snort files: LOG


    Snort -X Snort -v -r snort.log

    Default Log path ->


    Multiple flag usage. Display all packet Read “N” number of packets:
    /var/log/snort"
    details: Snort -v -r snort.log -n 10
    Snort -eX
    Filter packets with “Berkeley Packet Filters”
    Sniff “N” number of packets: (BPF):
    Snort -v -n 10 Snort -v -r snort.log tcp
    Snort -v -r snort.log ‘udp and port 53’

    IDS/IPS Mode
    1010111
     
     
     
     

    Use configuration file:


    PCAP Processing Snort -c /etc/snort/snort.conf

    Test instance and configuration file:


    Process single pcap file: Snort -c /etc/snort/snort.conf -T
    Snort -c /etc/snort/snort.conf -q -r file.pcap -A console
    Disable logging:
    Process multiple pcap files: Snort -c /etc/snort/snort.conf -N
    Snort -c /etc/snort/snort.conf -q --pcap-list= "file1.pcap
    file2.pcap" -A console
    Run Snort in background:
    Snort -c /etc/snort/snort.conf -D

    Process pcaps from folder: Alert mode 1 | No output:


    Snort -c /etc/snort/snort.conf -q --pcap-dir=/home/pcap-folder Snort -c /etc/snort/snort.conf -v -A none
    -A console
    Alert mode 2 | Console output 1:
    Show processed pcap name: Snort -c /etc/snort/snort.conf -v -A console
    Snort -c /etc/snort/snort.conf -q --pcap-list="file1.pcap
    file2.pcap" -A console --pcap-show
    Alert mode 2 | Console output 2:
    Snort -c /etc/snort/snort.conf -v -A cmg

    Alert mode 3 | File output 1:


    Snort -c /etc/snort/snort.conf -v -A fast

    Alert mode 3 | File output 2:


    Snort -c /etc/snort/snort.conf -v -A full

    Use rules without configuration file:


    Snort -c /etc/snort/rules/local.rules -v -A console
    Snort Rule
    Breakdown
    Destination Destination
    Action Protocol Source IP Source Port Direction
    IP Port

    Rule Header Rule Options


    Payload Non-Payload
    General Rule Post-Detection
    Detection Detection Rule
    Options Rule Options Options Rule Options

    RU
    LE
    S

    Snort rules are composed


    of two logical parts;
    Example Rule
    Alert rule for possible “Directory Traversal Attempt” detection.
    Rule Header:
    This part contains network-based information; action,
    protocol, source and destination IP addresses, port
    numbers, and traffic direction.
    alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
    msg:"Directory Traversal Attempt!";
    flow:established;
    nocase; content:"HTTP"; fast_pattern; content:"| 2E 2E 2F|"; content:"/..";
    session:all;
    Rule Options: reference:CVE,XXX;
    sid:100001; rev:1;)
    This part contains packet-based investigation details;
    message, reference, flow and content.

    Action alert Action, this option tells Snort what to do in a rule match
    Protocol tcp Protocol to be analysed. Supported protocols: TCP, UDP, ICMP, IP.
    Source IP $EXTERNAL_NET Source IP addresses.
    any
    Rule HeadEr Source Port
    Direction ->
    Source ports.
    Direction operator. Identify the orientation of traffic.
    Destination IP $HOME_NET Destination IP addresses.
    Destination Port $HTTP_PORTS Destination ports.
    Message msg Display message for rule match.
    GeneRal
    Rule Reference reference Provide additional information or reference for the rule.
    Rule id sid Unique rule number.
    OptiOns
    Revision info rev Revision information for the rule.

    Rule Non-pAyloAd
    Flow flow TCP stream direction.
    Rule OptiOns
    OptiOns
    Nocase nocase Disable case sensitivity to enhance the content match.
    PaylOad
    DeteCtioN Rule Content content Filter the payload data and look for an exact match.
    OptiOns Prioritise the content search to speed up the payload search.
    Fast-pattern fast-pattern This option is required when using multiple “content” options.
    Post-dEtecTion
    Rule oPtioNs Session session Extract user data from TCP sessions.

    https://tryhackme.com/room/snort

    You might also like