Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

Contents

• 1. Snort Overview
  • 1.1 Getting Started
  • 1.2 Sniffer Mode
  • 1.3 Packet Logger Mode
  • 1.4 Network Intrusion Detection Mode
    • 1.4.1 NIDS Mode Output Options
    • 1.4.2 Understanding Standard Alert Output
    • 1.4.3 High Performance Configuration
    • 1.4.4 Changing Alert Order
  • 1.5 Inline Mode
    • 1.5.1 Snort Inline Rule Application Order
    • 1.5.2 New STREAM4 Options for Use with Snort Inline
    • 1.5.3 Replacing Packets with Snort Inline
    • 1.5.4 Installing Snort Inline
    • 1.5.5 Running Snort Inline
    • 1.5.6 Using the Honeynet Snort Inline Toolkit
    • 1.5.7 Troubleshooting Snort Inline
  • 1.6 Miscellaneous
    • 1.6.1 Running in Daemon mode
    • 1.6.2 Obfuscating IP address printouts
    • 1.6.3 Specifying multiple-instance identifiers
  • 1.7 More Information
  
  
• 2. Configuring Snort
  • 2.0.1 Includes
  • 2.0.2 Variables
  • 2.0.3 Config
  • 2.1 Preprocessors
    • 2.1.1 Frag2
    • 2.1.2 Frag3
    • 2.1.3 Stream4
    • 2.1.4 Flow
    • 2.1.5 Portscan
    • 2.1.6 Flow-Portscan
    • 2.1.7 sfPortscan
    • 2.1.8 Telnet Decode
    • 2.1.9 RPC Decode
    • 2.1.10 Performance Monitor
    • 2.1.11 HTTP Inspect
    • 2.1.12 ASN.1 Detection
    • 2.1.13 X-Link2State Mini-Preprocessor
  • 2.2 Event Thresholding
  • 2.3 Output Modules
    • 2.3.1 alert_syslog
    • 2.3.2 alert_fast
    • 2.3.3 alert_full
    • 2.3.4 alert_unixsock
    • 2.3.5 log_tcpdump
    • 2.3.6 database
    • 2.3.7 csv
    • 2.3.8 unified
    • 2.3.9 alert_prelude
    • 2.3.10 log null
  
  
• 3. Writing Snort Rules How to Write Snort Rules and Keep Your Sanity
  • 3.1 The Basics
  • 3.2 Rules Headers
    • 3.2.1 Rule Actions
    • 3.2.2 Protocols
    • 3.2.3 IP Addresses
    • 3.2.4 Port Numbers
    • 3.2.5 The Direction Operator
    • 3.2.6 Activate/Dynamic Rules
  • 3.3 Rule Options
  • 3.4 Meta-Data Rule Options
    • 3.4.1 msg
    • 3.4.2 reference
    • 3.4.3 sid
    • 3.4.4 rev
    • 3.4.5 classtype
    • 3.4.6 Priority
  • 3.5 Payload Detection Rule Options
    • 3.5.1 content
    • 3.5.2 nocase
    • 3.5.3 rawbytes
    • 3.5.4 depth
    • 3.5.5 offset
    • 3.5.6 distance
    • 3.5.7 within
    • 3.5.8 uricontent
    • 3.5.9 isdataat
    • 3.5.10 pcre
    • 3.5.11 byte_test
    • 3.5.12 byte_jump
    • 3.5.13 ftpbounce
    • 3.5.14 regex
    • 3.5.15 content-list
  • 3.6 Non-payload Detection Rule Options
    • 3.6.1 fragoffset
    • 3.6.2 ttl
    • 3.6.3 tos
    • 3.6.4 id
    • 3.6.5 ipopts
    • 3.6.6 fragbits
    • 3.6.7 dsize
    • 3.6.8 flags
    • 3.6.9 flow
    • 3.6.10 flowbits
    • 3.6.11 seq
    • 3.6.12 ack
    • 3.6.13 window
    • 3.6.14 itype
    • 3.6.15 icode
    • 3.6.16 icmp_id
    • 3.6.17 icmp_seq
    • 3.6.18 rpc
    • 3.6.19 ip_proto
    • 3.6.20 sameip
  • 3.7 Post-Detection Rule Options
    • 3.7.1 logto
    • 3.7.2 session
    • 3.7.3 resp
    • 3.7.4 react
    • 3.7.5 tag
  • 3.8 Event Thresholding
    • 3.8.1 Standalone Options
    • 3.8.2 Standalone Format
    • 3.8.3 Rule Keyword Format
    • 3.8.4 Rule Keyword Format
    • 3.8.5 Examples
  • 3.9 Event Suppression
    • 3.9.1 Format
    • 3.9.2 Examples
  • 3.10 Snort Multi-Event Logging (Event Queue)
    • 3.10.1 Event Queue Configuration Options
    • 3.10.2 Event Queue Configuration Examples
  • 3.11 Writing Good Rules
    • 3.11.1 Content Matching
    • 3.11.2 Catch the Vulnerability, Not the Exploit
    • 3.11.3 Catch the Oddities of the Protocol in the Rule
    • 3.11.4 Optimizing Rules
    • 3.11.5 testing numerical values
  
  
• 4. Making Snort Faster
  • 4.1 MMAPed pcap
  
  
• 5. Snort Development
  • 5.1 Submitting Patches
  • 5.2 Snort dataflow
    • 5.2.1 Preprocessors
    • 5.2.2 Detection Plugins
    • 5.2.3 Output Plugins
  • 5.3 The Snort Team
  
  
• Bibliography

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.