Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

Contents

• Snort Overview
  • Getting Started
  • Sniffer Mode
  • Packet Logger Mode
  • Network Intrusion Detection System Mode
    • NIDS Mode Output Options
    • Understanding Standard Alert Output
    • High Performance Configuration
    • Changing Alert Order
  • Inline Mode
    • Snort Inline Rule Application Order
    • New STREAM4 Options for Use with Snort Inline
    • Replacing Packets with Snort Inline
    • Installing Snort Inline
    • Running Snort Inline
    • Using the Honeynet Snort Inline Toolkit
    • Troubleshooting Snort Inline
  • Miscellaneous
    • Running in Daemon Mode
    • Obfuscating IP Address Printouts
    • Specifying Multiple-Instance Identifiers
  • More Information
  
  
• Configuring Snort
  • Includes
  • Variables
  • Config
  • Preprocessors
    • Frag2
    • Frag3
    • Stream4
    • Flow
    • Portscan
    • Flow-Portscan
    • sfPortscan
    • Telnet Decode
    • RPC Decode
    • Performance Monitor
    • HTTP Inspect
    • SMTP Preprocessor
    • FTP/Telnet Preprocessor
    • SSH
    • DCE/RPC
    • DNS
    • ASN.1 Detection
  • Event Thresholding
  • Output Modules
    • alert_syslog
    • alert_fast
    • alert_full
    • alert_unixsock
    • log_tcpdump
    • database
    • csv
    • unified
    • alert_prelude
    • log null
    • alert_aruba_action
  • Dynamic Modules
    • Format
    • Directives
  
  
• Writing Snort Rules: How to Write Snort Rules and Keep Your Sanity
  • The Basics
  • Rules Headers
    • Rule Actions
    • Protocols
    • IP Addresses
    • Port Numbers
    • The Direction Operator
    • Activate/Dynamic Rules
  • Rule Options
  • Meta-Data Rule Options
    • msg
    • reference
    • sid
    • rev
    • classtype
    • Priority
  • Payload Detection Rule Options
    • content
    • nocase
    • rawbytes
    • depth
    • offset
    • distance
    • within
    • http_client_body
    • http_uri
    • uricontent
    • isdataat
    • pcre
    • byte_test
    • byte_jump
    • ftpbounce
    • regex
    • content-list
  • Non-Payload Detection Rule Options
    • fragoffset
    • ttl
    • tos
    • id
    • ipopts
    • fragbits
    • dsize
    • flags
    • flow
    • flowbits
    • seq
    • ack
    • window
    • itype
    • icode
    • icmp_id
    • icmp_seq
    • rpc
    • ip_proto
    • sameip
  • Post-Detection Rule Options
    • logto
    • session
    • resp
    • react
    • tag
  • Event Thresholding
    • Standalone Options
    • Standalone Format
    • Rule Keyword Format
    • Rule Keyword Format
    • Examples
  • Event Suppression
    • Format
    • Examples
  • Snort Multi-Event Logging (Event Queue)
    • Event Queue Configuration Options
    • Event Queue Configuration Examples
  • Writing Good Rules
    • Content Matching
    • Catch the Vulnerability, Not the Exploit
    • Catch the Oddities of the Protocol in the Rule
    • Optimizing Rules
    • Testing Numerical Values
  
  
• Making Snort Faster
  • MMAPed pcap
  
  
• Dynamic Modules
  • Data Structures
    • DynamicPluginMeta
    • DynamicPreprocessorData
    • DynamicEngineData
    • SFSnortPacket
    • Dynamic Rules
  • Required Functions
    • Preprocessors
    • Detection Engine
    • Rules
  • Examples
    • Preprocessor Example
    • Rules
  
  
• Snort Development
  • Submitting Patches
  • Snort Data Flow
    • Preprocessors
    • Detection Plugins
    • Output Plugins
  • The Snort Team
  
  
• Bibliography

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.