<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <!--Converted with LaTeX2HTML 2002-2-1 (1.71) original version by: Nikos Drakos, CBLU, University of Leeds * revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan * with significant contributions from: Jens Lippmann, Marek Rouchal, Martin Wilck and others --> <HTML> <HEAD> <TITLE>Contents</TITLE> <META NAME="description" CONTENT="Contents"> <META NAME="keywords" CONTENT="snort_manual"> <META NAME="resource-type" CONTENT="document"> <META NAME="distribution" CONTENT="global"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1"> <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css"> <LINK REL="STYLESHEET" HREF="snort_manual.css"> <LINK REL="next" HREF="node2.html"> <LINK REL="previous" HREF="snort_manual.html"> <LINK REL="up" HREF="snort_manual.html"> <LINK REL="next" HREF="node2.html"> </HEAD> <BODY > <!--Navigation Panel--> <A NAME="tex2html106" HREF="node2.html"> <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> <A NAME="tex2html104" HREF="snort_manual.html"> <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> <A NAME="tex2html98" HREF="snort_manual.html"> <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> <BR> <B> Next:</B> <A NAME="tex2html107" HREF="node2.html">1. Snort Overview</A> <B> Up:</B> <A NAME="tex2html105" HREF="snort_manual.html">Snort<SUP>TM</SUP>Users Manual 2.3.3</A> <B> Previous:</B> <A NAME="tex2html99" HREF="snort_manual.html">Snort<SUP>TM</SUP>Users Manual 2.3.3</A> <BR> <BR> <!--End of Navigation Panel--> <BR> <H2><A NAME="SECTION00100000000000000000"> Contents</A> </H2> <!--Table of Contents--> <UL> <LI><A NAME="tex2html108" HREF="node2.html">1. Snort Overview</A> <UL> <LI><A NAME="tex2html109" HREF="node3.html">1.1 Getting Started</A> <LI><A NAME="tex2html110" HREF="node4.html">1.2 Sniffer Mode</A> <LI><A NAME="tex2html111" HREF="node5.html">1.3 Packet Logger Mode</A> <LI><A NAME="tex2html112" HREF="node6.html">1.4 Network Intrusion Detection Mode</A> <UL> <LI><A NAME="tex2html113" HREF="node6.html#SECTION00241000000000000000">1.4.1 NIDS Mode Output Options</A> <LI><A NAME="tex2html114" HREF="node6.html#SECTION00242000000000000000">1.4.2 Understanding Standard Alert Output</A> <LI><A NAME="tex2html115" HREF="node6.html#SECTION00243000000000000000">1.4.3 High Performance Configuration</A> <LI><A NAME="tex2html116" HREF="node6.html#SECTION00244000000000000000">1.4.4 Changing Alert Order</A> </UL> <LI><A NAME="tex2html117" HREF="node7.html">1.5 Inline Mode</A> <UL> <LI><A NAME="tex2html118" HREF="node7.html#SECTION00251000000000000000">1.5.1 Snort Inline Rule Application Order</A> <LI><A NAME="tex2html119" HREF="node7.html#SECTION00252000000000000000">1.5.2 New STREAM4 Options for Use with Snort Inline</A> <LI><A NAME="tex2html120" HREF="node7.html#SECTION00253000000000000000">1.5.3 Replacing Packets with Snort Inline</A> <LI><A NAME="tex2html121" HREF="node7.html#SECTION00254000000000000000">1.5.4 Installing Snort Inline</A> <LI><A NAME="tex2html122" HREF="node7.html#SECTION00255000000000000000">1.5.5 Running Snort Inline</A> <LI><A NAME="tex2html123" HREF="node7.html#SECTION00256000000000000000">1.5.6 Using the Honeynet Snort Inline Toolkit</A> <LI><A NAME="tex2html124" HREF="node7.html#SECTION00257000000000000000">1.5.7 Troubleshooting Snort Inline</A> </UL> <LI><A NAME="tex2html125" HREF="node8.html">1.6 Miscellaneous</A> <LI><A NAME="tex2html126" HREF="node9.html">1.7 More Information</A> </UL> <BR> <LI><A NAME="tex2html127" HREF="node10.html">2. Configuring Snort </A> <UL> <LI><A NAME="tex2html128" HREF="node10.html#SECTION00301000000000000000">2.0.1 Includes</A> <LI><A NAME="tex2html129" HREF="node10.html#SECTION00302000000000000000">2.0.2 Variables </A> <LI><A NAME="tex2html130" HREF="node10.html#SECTION00303000000000000000">2.0.3 Config</A> <LI><A NAME="tex2html131" HREF="node11.html">2.1 Preprocessors</A> <UL> <LI><A NAME="tex2html132" HREF="node11.html#SECTION00311000000000000000">2.1.1 Portscan Detector</A> <LI><A NAME="tex2html133" HREF="node11.html#SECTION00312000000000000000">2.1.2 Portscan Ignorehosts</A> <LI><A NAME="tex2html134" HREF="node11.html#SECTION00313000000000000000">2.1.3 sfPortscan</A> <LI><A NAME="tex2html135" HREF="node11.html#SECTION00314000000000000000">2.1.4 Frag2</A> <LI><A NAME="tex2html136" HREF="node11.html#SECTION00315000000000000000">2.1.5 Stream4</A> <LI><A NAME="tex2html137" HREF="node11.html#SECTION00316000000000000000">2.1.6 Flow</A> <LI><A NAME="tex2html138" HREF="node11.html#SECTION00317000000000000000">2.1.7 Flow-Portscan</A> <LI><A NAME="tex2html139" HREF="node11.html#SECTION00318000000000000000">2.1.8 Telnet Decode</A> <LI><A NAME="tex2html140" HREF="node11.html#SECTION00319000000000000000">2.1.9 RPC Decode</A> <LI><A NAME="tex2html141" HREF="node11.html#SECTION003110000000000000000">2.1.10 Performance Monitor</A> <LI><A NAME="tex2html142" HREF="node11.html#SECTION003111000000000000000">2.1.11 HTTP Inspect </A> <LI><A NAME="tex2html143" HREF="node11.html#SECTION003112000000000000000">2.1.12 ASN.1 Detection</A> <LI><A NAME="tex2html144" HREF="node11.html#SECTION003113000000000000000">2.1.13 X-Link2State Mini-Preprocessor</A> </UL> <LI><A NAME="tex2html145" HREF="node12.html">2.2 Event Thresholding</A> <UL> <LI><A NAME="tex2html146" HREF="node12.html#SECTION00321000000000000000">2.2.1 Standalone Options</A> <LI><A NAME="tex2html147" HREF="node12.html#SECTION00322000000000000000">2.2.2 Standalone Format</A> <LI><A NAME="tex2html148" HREF="node12.html#SECTION00323000000000000000">2.2.3 Rule Keyword Format</A> <LI><A NAME="tex2html149" HREF="node12.html#SECTION00324000000000000000">2.2.4 Rule Keyword Format</A> <LI><A NAME="tex2html150" HREF="node12.html#SECTION00325000000000000000">2.2.5 Examples</A> </UL> <LI><A NAME="tex2html151" HREF="node13.html">2.3 Event Suppression</A> <UL> <LI><A NAME="tex2html152" HREF="node13.html#SECTION00331000000000000000">2.3.1 Format</A> <LI><A NAME="tex2html153" HREF="node13.html#SECTION00332000000000000000">2.3.2 Examples</A> </UL> <LI><A NAME="tex2html154" HREF="node14.html">2.4 Snort Multi-Event Logging (Event Queue)</A> <UL> <LI><A NAME="tex2html155" HREF="node14.html#SECTION00341000000000000000">2.4.1 Event Queue Configuration Options</A> <LI><A NAME="tex2html156" HREF="node14.html#SECTION00342000000000000000">2.4.2 Event Queue Configuration Examples</A> </UL> <LI><A NAME="tex2html157" HREF="node15.html">2.5 Output Modules</A> <UL> <LI><A NAME="tex2html158" HREF="node15.html#SECTION00351000000000000000">2.5.1 alert_syslog </A> <LI><A NAME="tex2html159" HREF="node15.html#SECTION00352000000000000000">2.5.2 alert_fast</A> <LI><A NAME="tex2html160" HREF="node15.html#SECTION00353000000000000000">2.5.3 alert_full</A> <LI><A NAME="tex2html161" HREF="node15.html#SECTION00354000000000000000">2.5.4 alert_unixsock</A> <LI><A NAME="tex2html162" HREF="node15.html#SECTION00355000000000000000">2.5.5 log_tcpdump</A> <LI><A NAME="tex2html163" HREF="node15.html#SECTION00356000000000000000">2.5.6 database </A> <LI><A NAME="tex2html164" HREF="node15.html#SECTION00357000000000000000">2.5.7 csv</A> <LI><A NAME="tex2html165" HREF="node15.html#SECTION00358000000000000000">2.5.8 unified</A> <LI><A NAME="tex2html166" HREF="node15.html#SECTION00359000000000000000">2.5.9 log null</A> </UL> </UL> <BR> <LI><A NAME="tex2html167" HREF="node16.html">3. Writing Snort Rules How to Write Snort Rules and Keep Your Sanity</A> <UL> <LI><A NAME="tex2html168" HREF="node17.html">3.1 The Basics</A> <LI><A NAME="tex2html169" HREF="node18.html">3.2 Rules Headers</A> <UL> <LI><A NAME="tex2html170" HREF="node18.html#SECTION00421000000000000000">3.2.1 Rule Actions </A> <LI><A NAME="tex2html171" HREF="node18.html#SECTION00422000000000000000">3.2.2 Protocols</A> <LI><A NAME="tex2html172" HREF="node18.html#SECTION00423000000000000000">3.2.3 IP Addresses</A> <LI><A NAME="tex2html173" HREF="node18.html#SECTION00424000000000000000">3.2.4 Port Numbers</A> <LI><A NAME="tex2html174" HREF="node18.html#SECTION00425000000000000000">3.2.5 The Direction Operator</A> <LI><A NAME="tex2html175" HREF="node18.html#SECTION00426000000000000000">3.2.6 Activate/Dynamic Rules</A> </UL> <LI><A NAME="tex2html176" HREF="node19.html">3.3 Rule Options</A> <LI><A NAME="tex2html177" HREF="node20.html">3.4 Meta-Data Rule Options</A> <UL> <LI><A NAME="tex2html178" HREF="node20.html#SECTION00441000000000000000">3.4.1 msg</A> <LI><A NAME="tex2html179" HREF="node20.html#SECTION00442000000000000000">3.4.2 reference</A> <LI><A NAME="tex2html180" HREF="node20.html#SECTION00443000000000000000">3.4.3 sid</A> <LI><A NAME="tex2html181" HREF="node20.html#SECTION00444000000000000000">3.4.4 rev </A> <LI><A NAME="tex2html182" HREF="node20.html#SECTION00445000000000000000">3.4.5 classtype</A> <LI><A NAME="tex2html183" HREF="node20.html#SECTION00446000000000000000">3.4.6 Priority</A> </UL> <LI><A NAME="tex2html184" HREF="node21.html">3.5 Payload Detection Rule Options</A> <UL> <LI><A NAME="tex2html185" HREF="node21.html#SECTION00451000000000000000">3.5.1 content</A> <LI><A NAME="tex2html186" HREF="node21.html#SECTION00452000000000000000">3.5.2 nocase</A> <LI><A NAME="tex2html187" HREF="node21.html#SECTION00453000000000000000">3.5.3 rawbytes </A> <LI><A NAME="tex2html188" HREF="node21.html#SECTION00454000000000000000">3.5.4 depth</A> <LI><A NAME="tex2html189" HREF="node21.html#SECTION00455000000000000000">3.5.5 offset</A> <LI><A NAME="tex2html190" HREF="node21.html#SECTION00456000000000000000">3.5.6 distance</A> <LI><A NAME="tex2html191" HREF="node21.html#SECTION00457000000000000000">3.5.7 within</A> <LI><A NAME="tex2html192" HREF="node21.html#SECTION00458000000000000000">3.5.8 uricontent</A> <LI><A NAME="tex2html193" HREF="node21.html#SECTION00459000000000000000">3.5.9 isdataat</A> <LI><A NAME="tex2html194" HREF="node21.html#SECTION004510000000000000000">3.5.10 pcre </A> <LI><A NAME="tex2html195" HREF="node21.html#SECTION004511000000000000000">3.5.11 byte_test</A> <LI><A NAME="tex2html196" HREF="node21.html#SECTION004512000000000000000">3.5.12 byte_jump</A> <LI><A NAME="tex2html197" HREF="node21.html#SECTION004513000000000000000">3.5.13 regex</A> <LI><A NAME="tex2html198" HREF="node21.html#SECTION004514000000000000000">3.5.14 content-list</A> </UL> <LI><A NAME="tex2html199" HREF="node22.html">3.6 Non-payload Detection Rule Options</A> <UL> <LI><A NAME="tex2html200" HREF="node22.html#SECTION00461000000000000000">3.6.1 fragoffset </A> <LI><A NAME="tex2html201" HREF="node22.html#SECTION00462000000000000000">3.6.2 ttl</A> <LI><A NAME="tex2html202" HREF="node22.html#SECTION00463000000000000000">3.6.3 tos</A> <LI><A NAME="tex2html203" HREF="node22.html#SECTION00464000000000000000">3.6.4 id</A> <LI><A NAME="tex2html204" HREF="node22.html#SECTION00465000000000000000">3.6.5 ipopts</A> <LI><A NAME="tex2html205" HREF="node22.html#SECTION00466000000000000000">3.6.6 fragbits</A> <LI><A NAME="tex2html206" HREF="node22.html#SECTION00467000000000000000">3.6.7 dsize</A> <LI><A NAME="tex2html207" HREF="node22.html#SECTION00468000000000000000">3.6.8 flags</A> <LI><A NAME="tex2html208" HREF="node22.html#SECTION00469000000000000000">3.6.9 flow</A> <LI><A NAME="tex2html209" HREF="node22.html#SECTION004610000000000000000">3.6.10 flowbits</A> <LI><A NAME="tex2html210" HREF="node22.html#SECTION004611000000000000000">3.6.11 seq</A> <LI><A NAME="tex2html211" HREF="node22.html#SECTION004612000000000000000">3.6.12 ack</A> <LI><A NAME="tex2html212" HREF="node22.html#SECTION004613000000000000000">3.6.13 window</A> <LI><A NAME="tex2html213" HREF="node22.html#SECTION004614000000000000000">3.6.14 itype</A> <LI><A NAME="tex2html214" HREF="node22.html#SECTION004615000000000000000">3.6.15 icode</A> <LI><A NAME="tex2html215" HREF="node22.html#SECTION004616000000000000000">3.6.16 icmp_id</A> <LI><A NAME="tex2html216" HREF="node22.html#SECTION004617000000000000000">3.6.17 icmp_seq</A> <LI><A NAME="tex2html217" HREF="node22.html#SECTION004618000000000000000">3.6.18 rpc</A> <LI><A NAME="tex2html218" HREF="node22.html#SECTION004619000000000000000">3.6.19 ip_proto</A> <LI><A NAME="tex2html219" HREF="node22.html#SECTION004620000000000000000">3.6.20 sameip</A> </UL> <LI><A NAME="tex2html220" HREF="node23.html">3.7 Post-Detection Rule Options</A> <UL> <LI><A NAME="tex2html221" HREF="node23.html#SECTION00471000000000000000">3.7.1 logto</A> <LI><A NAME="tex2html222" HREF="node23.html#SECTION00472000000000000000">3.7.2 session</A> <LI><A NAME="tex2html223" HREF="node23.html#SECTION00473000000000000000">3.7.3 resp</A> <LI><A NAME="tex2html224" HREF="node23.html#SECTION00474000000000000000">3.7.4 React</A> <LI><A NAME="tex2html225" HREF="node23.html#SECTION00475000000000000000">3.7.5 tag </A> </UL> <LI><A NAME="tex2html226" HREF="node24.html">3.8 Writing Good Rules</A> <UL> <LI><A NAME="tex2html227" HREF="node24.html#SECTION00481000000000000000">3.8.1 Content Matching</A> <LI><A NAME="tex2html228" HREF="node24.html#SECTION00482000000000000000">3.8.2 Catch the Vulnerability, Not the Exploit</A> <LI><A NAME="tex2html229" HREF="node24.html#SECTION00483000000000000000">3.8.3 Catch the Oddities of the Protocol in the Rule</A> <LI><A NAME="tex2html230" HREF="node24.html#SECTION00484000000000000000">3.8.4 Optimizing Rules</A> <LI><A NAME="tex2html231" HREF="node24.html#SECTION00485000000000000000">3.8.5 testing numerical values </A> </UL> </UL> <BR> <LI><A NAME="tex2html232" HREF="node25.html">4. Making Snort Faster</A> <UL> <LI><A NAME="tex2html233" HREF="node26.html">4.1 MMAPed pcap</A> </UL> <BR> <LI><A NAME="tex2html234" HREF="node27.html">5. Snort Development</A> <UL> <LI><A NAME="tex2html235" HREF="node28.html">5.1 Submitting Patches</A> <LI><A NAME="tex2html236" HREF="node29.html">5.2 Snort dataflow</A> <UL> <LI><A NAME="tex2html237" HREF="node29.html#SECTION00621000000000000000">5.2.1 Preprocessors</A> <LI><A NAME="tex2html238" HREF="node29.html#SECTION00622000000000000000">5.2.2 Detection Plugins</A> <LI><A NAME="tex2html239" HREF="node29.html#SECTION00623000000000000000">5.2.3 Output Plugins</A> </UL> <LI><A NAME="tex2html240" HREF="node30.html">5.3 The Snort Team</A> </UL> <BR> <LI><A NAME="tex2html241" HREF="node31.html">Bibliography</A> </UL> <!--End of Table of Contents--> <P> <BR><HR> </BODY> </HTML>