Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 2.3 Where are my Up: 2 Getting Started Previous: 2.1 Where do I

2.2 How do I run Snort?

Run Snort in sniffer mode and make sure it can see the packets. 

snort -dv{

Then run it with the HOME_NET set appropriately for the network you're defending in your rules file. A default rules file comes with the snort distribution and is called ``snort.conf'' You can run this basic ruleset with the following command line: 

snort -A full -c snort.conf

If it's all set right, make sure the interface is in promiscuous mode by running the command from another window: 

ifconfig -a

The output from ifconfig should show if the interface is in promiscuous mode. If it's not, there should be a way to set it manually.

Note that the default output mode (-A full) of Snort should not be used except in very controlled environments. It is the slowest way to run Snort and presents several hard to recover from problems with inode creation on filesystems.

For people doing real IDS work, use something like (-A fast -b) to combine fast alert mode with tcpdump binary log files or use the unified format coupled with barnyard.

next up previous
Next: 2.3 Where are my Up: 2 Getting Started Previous: 2.1 Where do I
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.