snort

Capture packets with verbose output

$ sudo snort -v -i [interface]

$ sudo snort -vd -i [interface]

$ sudo snort -ve -i [interface]

$ sudo snort -i [interface] -l [path/to/directory]

$ sudo snort -i [interface] -c [path/to/rules.conf] -l [path/to/directory]

snort [-A <mode>] [-c <rulesfile>] [-i <interface>] [-l <logdir>] [-r <pcapfile>] [-D] [-T] [-q] [other_options]

-A <mode>
    Sets the alert output mode (e.g., full, fast, console, syslog, none).

-c <rulesfile>
    Specifies the Snort configuration file and rule set to use.

-i <interface>
    Listens for packets on the specified network interface (e.g., eth0, enp0s3, any).

-l <logdir>
    Specifies the base logging directory where Snort will write alert and log files.

-r <pcapfile>
    Reads packets from a tcpdump-format packet capture file for offline analysis.

-D
    Runs Snort in daemon mode, detaching from the controlling terminal.

-T
    Runs Snort in test mode, validating the configuration and rule set without analyzing live traffic.

-q
    Operates in quiet mode, suppressing the startup banner and most status messages.

--daq <module>
    Specifies the Data Acquisition (DAQ) module to use (e.g., pcap, afpacket) for packet I/O.

--pcap-filter <filter>
    Applies a Berkeley Packet Filter (BPF) to the input stream, filtering which packets Snort processes.

snort is a widely-used open-source network intrusion detection and prevention system (IDS/IPS). It performs real-time traffic analysis, packet logging, and content searching/matching on IP networks. Snort can detect a wide range of attacks and probes, including buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.

It operates primarily in three modes: sniffer, packet logger, and network intrusion detection system (NIDS). In NIDS mode, Snort uses a flexible rule-based language to define attack signatures and detect suspicious activity. Its extensibility, powerful rule engine, and active community make it a cornerstone in network security monitoring and defense.

Snort can be resource-intensive, requiring careful tuning of rules to minimize false positives and negatives. Managing and updating rule sets regularly is crucial for effective detection.

While capable of Intrusion Prevention (IPS), this mode demands precise rule configuration to avoid legitimate traffic disruption and often requires specific Data Acquisition (DAQ) modules and network interface support.

Snort operates primarily in three distinct modes:
1. Sniffer Mode: Reads network packets from the wire and displays them on the console, similar to tcpdump.
2. Packet Logger Mode: Records packets to disk in a hierarchical directory structure based on IP addresses, suitable for later forensic analysis.
3. Network Intrusion Detection System (NIDS) Mode: This is Snort's most powerful mode, where it analyzes network traffic against a set of user-defined rules to detect and alert on suspicious or malicious activity.

Snort's strength lies in its highly flexible and powerful rule language. Users can write custom rules to address specific threats or leverage widely available community-driven and commercial rule sets (e.g., Snort Subscriber Rules, Emerging Threats). Keeping these rules updated is critical for effective threat detection and adapting to new attack vectors.

Snort was originally created by Martin Roesch in 1998 as a simple packet sniffer and logger. It quickly evolved into a robust network intrusion detection system (NIDS) and gained widespread adoption. Roesch later founded Sourcefire, which continued Snort's development. In 2013, Cisco Systems acquired Sourcefire, including the Snort project. Despite the acquisition, Snort remains an actively developed open-source project, continuing its legacy as a foundational tool in network security.

tcpdump(1), wireshark(1), suricata(1), zeek(1), iptables(8)