snort

Sniffer mode

$ snort -v -i [eth0]

$ snort -dev -l [/var/log/snort] -i [eth0]

$ snort -c [/etc/snort/snort.conf] -i [eth0]

$ snort -T -c [/etc/snort/snort.conf]

$ snort -r [capture.pcap] -c [snort.conf]

$ snort -D -c [snort.conf] -i [eth0]

$ snort -A [fast] -c [snort.conf] -i [eth0]

snort [-c config] [-l logdir] [-i interface] [options]

snort is an open-source network intrusion detection and prevention system (IDS/IPS) that performs real-time traffic analysis and packet logging. It examines network traffic against a set of user-defined rules to detect attacks, probes, and suspicious activity.
The tool operates in three modes: sniffer mode displays packets on the console, logger mode records traffic to pcap files for offline analysis, and IDS mode applies detection rules and generates alerts. Rules use a flexible language that matches on protocol, content patterns, flow direction, and other packet characteristics.
Snort can operate inline as an IPS to actively block detected threats, or passively as an IDS that only monitors and alerts. Its rule format has become an industry standard, with thousands of community and commercial rules available for detecting known vulnerabilities, malware, and policy violations.

-c FILE

Configuration file.

Network interface.

Log directory.

Alert mode (fast, full, console).

Daemon mode.

Read pcap.

Test configuration.

Verbose.

Dump packet data.

Display link layer.

/etc/snort/snort.conf

Main configuration file defining network variables, preprocessors, output plugins, and rule paths.

Directory containing detection rule files loaded by the configuration.

Requires root for capture. Rule tuning needed. High bandwidth challenging.

Snort was created by Martin Roesch in 1998. It became the most widely deployed IDS, now maintained by Cisco.

suricata(1), tcpdump(1), zeek(1)