the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
Snort Users Manual\\ Snort Release: 2.0.0

Snort Users Manual
Snort Release: 2.0.0

Martin Roesch
Chris Green

Copyright © 1998-2003 Martin Roesch
Copyright © 2001-2003 Chris Green
Copyright © 2003 Sourcefire, Inc.

Contents

1  Snort Overview
    1.1  Getting Started
    1.2  Sniffer Mode
    1.3  Packet Logger Mode
    1.4  Network Intrusion Detection Mode
        1.4.1  NIDS Mode Output Options
        1.4.2  High Performance Configuration
        1.4.3  Changing Alert Order
    1.5  Miscellaneous
    1.6  More Information
2  Writing Snort Rules
How to Write Snort Rules and Keep Your Sanity
    2.1  The Basics
        2.1.1  Includes
        2.1.2  Variables
        2.1.3  Config
    2.2  Rules Headers
        2.2.1  Rule Actions
        2.2.2  Protocols
        2.2.3  IP Addresses
        2.2.4  Port Numbers
        2.2.5  The Direction Operator
        2.2.6  Activate/Dynamic Rules
    2.3  Rule Options
        2.3.1  Msg
        2.3.2  Logto
        2.3.3  TTL
        2.3.4  TOS
        2.3.5  ID
        2.3.6  Ipoption
        2.3.7  Fragbits
        2.3.8  Dsize
        2.3.9  Content
        2.3.10  Offset
        2.3.11  Depth
        2.3.12  Nocase
        2.3.13  Flags
        2.3.14  Seq
        2.3.15  Ack
        2.3.16  Itype
        2.3.17  Icode
        2.3.18  Session
        2.3.19  Icmp_id
        2.3.20  Icmp_seq
        2.3.21  Rpc
        2.3.22  Resp
        2.3.23  Content-list
        2.3.24  React
        2.3.25  Reference
        2.3.26  Sid
        2.3.27  Rev
        2.3.28  Classtype
        2.3.29  Priority
        2.3.30  Uricontent
        2.3.31  Tag
        2.3.32  IP proto
        2.3.33  Same IP
        2.3.34  Regex
        2.3.35  Flow
        2.3.36  Fragoffset
        2.3.37  Rawbytes
        2.3.38  distance
        2.3.39  Within
        2.3.40  Byte_Test
        2.3.41  Byte_Jump
    2.4  Preprocessors
        2.4.1  HTTP Decode
        2.4.2  Portscan Detector
        2.4.3  Portscan Ignorehosts
        2.4.4  Frag2
        2.4.5  Stream4
        2.4.6  Conversation
        2.4.7  Portscan2
        2.4.8  Telnet Decode
        2.4.9  RPC Decode
        2.4.10  Perf Monitor
        2.4.11  Http Flow
    2.5  Output Modules
        2.5.1  Alert_syslog
        2.5.2  Alert_fast
        2.5.3  Alert_full
        2.5.4  Alert_smb
        2.5.5  Alert_unixsock
        2.5.6  Log_tcpdump
        2.5.7  Database
        2.5.8  CSV
        2.5.9  Unified
        2.5.10  Log Null
    2.6  Writing Good Rules
3  Snort Development
    3.1  Submitting Patches
    3.2  Snort Dataflow
        3.2.1  Preprocessors
        3.2.2  Detection Plugins
        3.2.3  Output Plugins

NEXT HEAD
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.