网络入侵检测系统(源码).rar snort.8

www.pudn.com > 网络入侵检测系统(源码).rar > snort.8

.\" Process this file with
.\" groff -man -Tascii snort.8
.\"
.\" $Id: snort.8,v 1.7 2001/01/02 19:52:10 roesch Exp $
.TH SNORT 8 "January 2001"
.SH NAME
Snort \- open source network intrusion detection system
.SH SYNOPSIS
.B snort [-abCdDeINopqsvVxX?] [-A
.I alert-mode
.B ] [-c
.I rules-file
.B ] [-F
.I bpf-file
.B ] [-g
.I grpname
.B ] [-h
.I home-net
.B ] [-i
.I interface
.B ] [-l
.I log-dir
.B ] [-L
.I bin-log-file
.B ] [-M
.I smb-hosts-file
.B ] [-n
.I packet-count
.B ] [-r
.I tcpdump-file
.B ] [-S
.I n=v
.B ] [-t
.I chroot_directory
.B ] [-u
.I usrname
.B ]
.I expression
.SH DESCRIPTION
.B Snort
is an open source network intrusion detection system, capable of performing
real-time traffic analysis and packet logging on IP networks. It can perform
protocol analysis, content searching/matching and can be used to detect a
variety of attacks and probes, such as buffer overflows, stealth port scans,
CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses
a flexible rules language to describe traffic that it should collect or pass,
as well as a detection engine that utilizes a modular plugin architecture.
Snort also has a modular real-time alerting capability, incorporating alerting
and logging plugins for syslog, a ASCII text files, UNIX sockets, WinPopup
messages to Windows clients using Samba's smbclient, database
(Mysql/PostgreSQL/Oracle/ODBC) or XML.
.PP
Snort has three primary uses. It can be used as a straight packet sniffer like
.BR tcpdump (1),
a packet logger (useful for network traffic debugging, etc), or as a full
blown network intrusion detection system.
.PP
Snort logs packets in
.BR tcpdump (1)
binary format, to a database or in Snort's decoded ASCII format to a hierarchy
of logging directories that are named based on the IP address of the "foreign"
host.
.SH OPTIONS
.IP "-A alert-mode"
Alert using the specified
.I alert-mode.
Valid alert modes include
.B fast, full, none,
and
.B unsock.
.B Fast
writes alerts to the default "alert" file in a single-line, syslog style alert
message.
.B Full
writes the alert to the "alert" file with the full decoded header as well as
the alert message.
.B None
turns off alerting.
.B Unsock
is an experimental mode that sends the alert information out over a UNIX socket
to another process that attaches to that socket.
.IP -a
Display ARP packets when decoding packets.
.IP -b
Log packets in a
.BR tcpdump (1)
formatted file. All packets are logged in their native binary state to a
tcpdump formatted log file named with the snort start timestamp and
"snort.log". This option results in much faster operation of the program
since it doesn't have to spend time in the packet binary->text converters.
Snort can keep up pretty well with 100Mbps networks in "-b" mode. To choose
an alternate name for the binary log file, use the "-L" switch.
.IP "-c config-file"
Use the rules located in file
.I config-file.
.IP -C
Print the character data from the packet payload only (no hex).
.IP -d
Dump the application layer data when displaying packets in verbose or packet
logging mode.
.IP -D
Run Snort in daemon mode. Alerts are sent to /var/log/snort/alert unless
otherwise specified.
.IP -e
Display/log the link layer packet headers.
.IP "-F bpf-file"
Read BPF filters from
.I bpf-file.
This is handy for people running Snort as a SHADOW replacement or with a love
of super complex BPF filters. See the
"expressions" section of this man page for more info on writing BPF fileters.
.IP "-g "
Change the GID Snort runs under to after initialization.
This switch allows Snort to drop root priveleges after it's initialization
phase has completed as a security measure.
.IP "-h home-net"
Set the "home network" to
.I home-net.
The format of this address variable is a network prefix plus a CIDR block, such
as 192.168.1.0/24. Once this variable is set, all decoded packet logging will
be done relative to the home network address space. This is useful because of
the way that Snort formats its ASCII log data. With this value set to the
local network, all decoded output will be logged into decode directories
with the address of the foreign computer as the directory name, which is
very useful during traffic analysis.
.IP "-i interface"
Sniff packets on
.I interface.
.IP "-I"
Print out the receiving interface name in alerts.
.IP "-l log-dir"
Set the output logging directory to
.I log-dir.
All plain text alerts and packet logs go into this directory. If this option
is not specified, the default logging directory is set to /var/log/snort.
.IP "-L binary-log-file"
Set the filename of the binary log file to
.I binary-log-file.
If this switch is not used, the default name is a timestamp for the time that
the file is created plus "snort.log".
.IP "-M smb-hosts-file"
Send WinPopup messages to the list of workstations contained in the
.I smb-hosts-file .
This option requires Samba to be resident and in the path of the machine
running Snort. The workstation file is simple: each line of the file contains
the SMB name of the box to send the message to.
.IP "-n packet-count"
Process
.I packet-count
packets and exit.
.IP -N
Turn off packet logging. The program still generates alerts normally.
.IP -o
Change the order in which the rules are applied to packets. Instead of being
applied in the standard Alert->Pass->Log order, this will apply them in
Pass->Alert->Log order.
.IP -O
Obfuscate the IP addresses when in ASCII packet dump mode. This switch changes
the IP addresses that get printed to the screen/log file to "xxx.xxx.xxx.xxx".
If the homenet address switch is set (-h), only addresses on the homenet will
be obfuscated while non- homenet IPs will be left visible. Perfect for posting
to your favorite security mailing list!
.IP -p
Turn off promiscuous mode sniffing.
.IP "-q"
Quiet operation. Don't display banner and initialization information.
.IP "-r tcpdump-file"
Read the tcpdump-formatted file
.I tcpdump-file.
This will cause Snort to read and process the file fed to it. This is
useful if, for instance, you've got a bunch of SHADOW files that you want to
process for content, or even if you've got a bunch of reassembled packet
fragments which have been written into a tcpdump formatted file.
.IP -s
Send alert messages to syslog. On linux boxen, they will appear in
/var/log/secure, /var/log/messages on many other platforms.
.IP "-S n=v"
Set variable name "n" to value "v". This is useful for setting the value of a
defined variable name in a Snort rules file to a command line specified value.
For instance, if you define a HOME_NET variable name inside of a Snort rules
file, you can set this value from it's predefined value at the command line.
.IP "-t chroot"
Changes Snort's root directory to
.I chroot
after initialization. Please note that all log/alert filenames are relative
to the chroot directory if chroot is used.
.IP "-u uname"
Change the UID Snort runs under to
.I uname
after initialization.
.IP -v
Be verbose. Prints packets out to the console. There is one big problem with
verbose mode: it's slow. If you are doing IDS work with Snort, don't use the
-v switch, you WILL drop packets.
.IP -V
Show the version number and exit.
.IP -X
Dump the raw packet data starting at the link layer. This switch overrides the
-d switch.
.IP -?
Show the program usage statement and exit.
.IP "\fI expression\fP"
.RS
selects which packets will be dumped. If no \fIexpression\fP
is given, all packets on the net will be dumped. Otherwise,
only packets for which \fIexpression\fP is `true' will be dumped.
.LP
The \fIexpression\fP consists of one or more
.I primitives.
Primitives usually consist of an
.I id
(name or number) preceded by one or more qualifiers. There are three
different kinds of qualifier:
.IP \fItype\fP
qualifiers say what kind of thing the id name or number refers to.
Possible types are
.BR host ,
.B net
and
.BR port .
E.g., `host foo', `net 128.3', `port 20'. If there is no type
qualifier,
.B host
is assumed.
.IP \fIdir\fP
qualifiers specify a particular transfer direction to and/or from
.I id.
Possible directions are
.BR src ,
.BR dst ,
.B "src or dst"
and
.B "src and"
.BR dst .
E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If
there is no dir qualifier,
.B "src or dst"
is assumed.
For `null' link layers (i.e. point to point protocols such as slip) the
.B inbound
and
.B outbound
qualifiers can be used to specify a desired direction.
.IP \fIproto\fP
qualifiers restrict the match to a particular protocol. Possible
protos are:
.BR ether ,
.BR fddi ,
.BR ip ,
.BR arp ,
.BR rarp ,
.BR decnet ,
.BR lat ,
.BR sca ,
.BR moprc ,
.BR mopdl ,
.B tcp
and
.BR udp .
E.g., `ether src foo', `arp net 128.3', `tcp port 21'. If there is
no proto qualifier, all protocols consistent with the type are
assumed. E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
.LP
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified
network interface.'' FDDI headers contain Ethernet-like source
and destination addresses, and often contain Ethernet-like packet
types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields. FDDI headers also contain other fields,
but you cannot name them explicitly in a filter expression.]
.LP
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
.BR gateway ,
.BR broadcast ,
.BR less ,
.B greater
and arithmetic expressions. All of these are described below.
.LP
More complex filter expressions are built up by using the words
.BR and ,
.B or
and
.B not
to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted. E.g.,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
.LP
Allowable primitives are:
.IP "\fBdst host \fIhost\fR"
True if the IP destination field of the packet is \fIhost\fP,
which may be either an address or a name.
.IP "\fBsrc host \fIhost\fR"
True if the IP source field of the packet is \fIhost\fP.
.IP "\fBhost \fIhost\fP
True if either the IP source or destination of the packet is \fIhost\fP.
Any of the above host expressions can be prepended with the keywords,
\fBip\fP, \fBarp\fP, or \fBrarp\fP as in:
.in +.5i
.nf
\fBip host \fIhost\fR
.fi
.in -.5i
which is equivalent to:
.in +.5i
.nf
\fBether proto \fI\\ip\fB and host \fIhost\fR
.fi
.in -.5i
If \fIhost\fR is a name with multiple IP addresses, each address will
be checked for a match.
.IP "\fBether dst \fIehost\fP
True if the ethernet destination address is \fIehost\fP. \fIEhost\fP
may be either a name from /etc/ethers or a number (see
.IR ethers (3N)
for numeric format).
.IP "\fBether src \fIehost\fP
True if the ethernet source address is \fIehost\fP.
.IP "\fBether host \fIehost\fP
True if either the ethernet source or destination address is \fIehost\fP.
.IP "\fBgateway\fP \fIhost\fP
True if the packet used \fIhost\fP as a gateway. I.e., the ethernet
source or destination address was \fIhost\fP but neither the IP source
nor the IP destination was \fIhost\fP. \fIHost\fP must be a name and
must be found in both /etc/hosts and /etc/ethers. (An equivalent
expression is
.in +.5i
.nf
\fBether host \fIehost \fBand not host \fIhost\fR
.fi
.in -.5i
which can be used with either names or numbers for \fIhost / ehost\fP.)
.IP "\fBdst net \fInet\fR"
True if the IP destination address of the packet has a network
number of \fInet\fP. \fINet\fP may be either a name from /etc/networks
or a network number (see \fInetworks(4)\fP for details).
.IP "\fBsrc net \fInet\fR"
True if the IP source address of the packet has a network
number of \fInet\fP.
.IP "\fBnet \fInet\fR"
True if either the IP source or destination address of the packet has a network
number of \fInet\fP.
.IP "\fBnet \fInet\fR \fBmask \fImask\fR"
True if the IP address matches \fInet\fR with the specific netmask.
May be qualified with \fBsrc\fR or \fBdst\fR.
.IP "\fBnet \fInet\fR/\fIlen\fR"
True if the IP address matches \fInet\fR a netmask \fIlen\fR bits wide.
May be qualified with \fBsrc\fR or \fBdst\fR.
.IP "\fBdst port \fIport\fR"
True if the packet is ip/tcp or ip/udp and has a
destination port value of \fIport\fP.
The \fIport\fP can be a number or a name used in /etc/services (see
.IR tcp (4P)
and
.IR udp (4P)).
If a name is used, both the port
number and protocol are checked. If a number or ambiguous name is used,
only the port number is checked (e.g., \fBdst port 513\fR will print both
tcp/login traffic and udp/who traffic, and \fBport domain\fR will print
both tcp/domain and udp/domain traffic).
.IP "\fBsrc port \fIport\fR"
True if the packet has a source port value of \fIport\fP.
.IP "\fBport \fIport\fR"
True if either the source or destination port of the packet is \fIport\fP.
Any of the above port expressions can be prepended with the keywords,
\fBtcp\fP or \fBudp\fP, as in:
.in +.5i
.nf
\fBtcp src port \fIport\fR
.fi
.in -.5i
which matches only tcp packets whose source port is \fIport\fP.
.IP "\fBless \fIlength\fR"
True if the packet has a length less than or equal to \fIlength\fP.
This is equivalent to:
.in +.5i
.nf
\fBlen <= \fIlength\fP.
.fi
.in -.5i
.IP "\fBgreater \fIlength\fR"
True if the packet has a length greater than or equal to \fIlength\fP.
This is equivalent to:
.in +.5i
.nf
\fBlen >= \fIlength\fP.
.fi
.in -.5i
.IP "\fBip proto \fIprotocol\fR"
True if the packet is an ip packet (see
.IR ip (4P))
of protocol type \fIprotocol\fP.
\fIProtocol\fP can be a number or one of the names
\fIicmp\fP, \fIigrp\fP, \fIudp\fP, \fInd\fP, or \fItcp\fP.
Note that the identifiers \fItcp\fP, \fIudp\fP, and \fIicmp\fP are also
keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell.
.IP "\fBether broadcast\fR"
True if the packet is an ethernet broadcast packet. The \fIether\fP
keyword is optional.
.IP "\fBip broadcast\fR"
True if the packet is an IP broadcast packet. It checks for both
the all-zeroes and all-ones broadcast conventions, and looks up
the local subnet mask.
.IP "\fBether multicast\fR"
True if the packet is an ethernet multicast packet. The \fIether\fP
keyword is optional.
This is shorthand for `\fBether[0] & 1 != 0\fP'.
.IP "\fBip multicast\fR"
True if the packet is an IP multicast packet.
.IP "\fBether proto \fIprotocol\fR"
True if the packet is of ether type \fIprotocol\fR.
\fIProtocol\fP can be a number or a name like
\fIip\fP, \fIarp\fP, or \fIrarp\fP.
Note these identifiers are also keywords
and must be escaped via backslash (\\).
[In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), the
protocol identification comes from the 802.2 Logical Link Control
(LLC) header, which is usually layered on top of the FDDI header.
\fITcpdump\fP assumes, when filtering on the protocol identifier,
that all FDDI packets include an LLC header, and that the LLC header
is in so-called SNAP format.]
.IP "\fBdecnet src \fIhost\fR"
True if the DECNET source address is
.IR host ,
which may be an address of the form ``10.123'', or a DECNET host
name. [DECNET host name support is only available on Ultrix systems
that are configured to run DECNET.]
.IP "\fBdecnet dst \fIhost\fR"
True if the DECNET destination address is
.IR host .
.IP "\fBdecnet host \fIhost\fR"
True if either the DECNET source or destination address is
.IR host .
.IP "\fBip\fR, \fBarp\fR, \fBrarp\fR, \fBdecnet\fR"
Abbreviations for:
.in +.5i
.nf
\fBether proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
.IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR"
Abbreviations for:
.in +.5i
.nf
\fBether proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
Note that
\fISnort\fP does not currently know how to parse these protocols.
.IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR"
Abbreviations for:
.in +.5i
.nf
\fBip proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
.IP "\fIexpr relop expr\fR"
True if the relation holds, where \fIrelop\fR is one of >, <, >=, <=, =, !=,
and \fIexpr\fR is an arithmetic expression composed of integer constants
(expressed in standard C syntax), the normal binary operators
[+, -, *, /, &, |], a length operator, and special packet data accessors.
To access
data inside the packet, use the following syntax:
.in +.5i
.nf
\fIproto\fB [ \fIexpr\fB : \fIsize\fB ]\fR
.fi
.in -.5i
\fIProto\fR is one of \fBether, fddi,
ip, arp, rarp, tcp, udp, \fRor \fBicmp\fR, and
indicates the protocol layer for the index operation.
The byte offset, relative to the indicated protocol layer, is
given by \fIexpr\fR.
\fISize\fR is optional and indicates the number of bytes in the
field of interest; it can be either one, two, or four, and defaults to one.
The length operator, indicated by the keyword \fBlen\fP, gives the
length of the packet.

For example, `\fBether[0] & 1 != 0\fP' catches all multicast traffic.
The expression `\fBip[0] & 0xf != 5\fP'
catches all IP packets with options. The expression
`\fBip[6:2] & 0x1fff = 0\fP'
catches only unfragmented datagrams and frag zero of fragmented datagrams.
This check is implicitly applied to the \fBtcp\fP and \fBudp\fP
index operations.
For instance, \fBtcp[0]\fP always means the first
byte of the TCP \fIheader\fP, and never means the first byte of an
intervening fragment.
.LP
Primitives may be combined using:
.IP
A parenthesized group of primitives and operators
(parentheses are special to the Shell and must be escaped).
.IP
Negation (`\fB!\fP' or `\fBnot\fP').
.IP
Concatenation (`\fB&&\fP' or `\fBand\fP').
.IP
Alternation (`\fB||\fP' or `\fBor\fP').
.LP
Negation has highest precedence.
Alternation and concatenation have equal precedence and associate
left to right. Note that explicit \fBand\fR tokens, not juxtaposition,
are now required for concatenation.
.LP
If an identifier is given without a keyword, the most recent keyword
is assumed.
For example,
.in +.5i
.nf
\fBnot host vs and ace\fR
.fi
.in -.5i
is short for
.in +.5i
.nf
\fBnot host vs and host ace\fR
.fi
.in -.5i
which should not be confused with
.in +.5i
.nf
\fBnot ( host vs or ace )\fR
.fi
.in -.5i
.LP
Expression arguments can be passed to Snort as either a single argument
or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces before being parsed.
.SH RULES
Snort uses a simple but flexible rules language to describe network packet
signatures and associate them with actions. The current rules document can
be found at http://www.snort.org/snort_rules.html.
.SH NOTES
The following signals have the specified effect when sent to the daemon process using the \fBkill(1)\fR command:
.PP
.IP SIGHUP
Causes the daemon to close all opened files and restart.
Please \fBnote\fR that this will only work if the \fBfull\fR pathname is
used to invoke snort in daemon mode, otherwise snort will just exit with an error message being sent
to
.B syslogd(8)
.
.PP
.IP SIGUSR1
Causes the program to dump its current packet statistical information to the
cosole or
.B syslogd(8)
if in daemon mode.
.
.PP
Any other signal causes the daemon to close all opened files and exit.

.SH HISTORY
.B Snort
has been freely available under the GPL license since 1998.
.SH DIAGNOSTICS
.B Snort
returns a 0 on a successful exit, 1 if it exits on an error.
.SH BUGS
Send bug reports to roesch@clark.net, snort-devel@lists.sourceforge.net
.SH AUTHOR
Martin Roesch
.SH "SEE ALSO"
.BR tcpdump (1),
.BR pcap (3)