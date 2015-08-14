

Snort is an open source, lightweight network intrusion detection program for Windows and Linux platforms. It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.

It can detect various kinds of attacks and probes, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured to run in three modes: Sniffer mode - It reads the packets off of the network and displays them for you in a continuous stream on the console (screen). Packet Logger mode - It logs the packets to disk. Network Intrusion Detection System (NIDS) mode - It performs detection and analysis on network traffic. This is the most complex and configurable mode.



Sniffer Mode If you just want to print out the TCP/IP packet headers to the screen (i.e. sniffer mode), try this: ./snort -v This command will run Snort and just show the IP and TCP/UDP/ICMP headers, nothing else.





If you want to see the application data in transit, try the following:

./snort -vd This instructs Snort to display the packet data as well as the headers.





If you want an even more descriptive display, showing the data link layer headers, do this:

./snort -vde



Note: The command line switches can be listed separately or in a combined form.

The last command could also be typed out as the following to produce the same result:

./snort -d -v -e

Packet Logger Mode

If you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically go into packet logger mode:

./snort -dev -l ./log

Of course, this assumes you have a directory named log in the current directory. If you don't, Snort will exit with an error message. When Snort runs in this mode, it collects every packet it sees and places the packets in a directory hierarchy based upon the IP address of one of the hosts in the datagram.

If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of the remote computer as the directory in which it places packets and sometimes it uses the local host address. In order to log relative to the home network, you need to tell Snort which network is the home network: