Using Snort

Obtaining and Building the Software

The current version of snort can be downloaded from the Snort Home Page. There are also intstructions on obtaining the development version of snort either via a snapshot image or CVS. Here you will also find information on joining the snort mailing list. Once you have downloaded the software you will need to untar it by typing: 
   tar -xzf snort-1.6.tar.gz
This will create the directory snort-1.6 in the current working directory. Now type: 
   cd snort-1.6
   ./configure
   make
If everything goes well, you will now have compiled snort. To verify that the software was built correctly type: 
   ./snort
A page full of usage information should scroll past. If not, then examine the output from the make command for errors, correct them, and rebuild.
The final step is to install the software. This can be done either by copying the executable to an appropriate directory or by typing (as root): 
   make install

Running Snort

There are many ways to run snort. It can be used as a sniffer (similar to tcpdump or snoop). It can be run to analyze data from tcpdump format capture file. Here, I am going to concentrate on running snort as a rule-based IDS on live traffic. I encourage people to read the man page and examine the options I have not presented here.

Output Options

There are several command line options that configure the way snort produces output. To confuse things even more, you can now use output plugins that also affect the way snort produces output. I will cover output plugins later (even though some of them do the same thing as a commandline option). I am also going to ignore options that deal with output to stdout; again look in the man page.

Alert Options
There are three options that affect snort alerts. They are mutually exclusive of each other. Syslog alerts overide SMB alerts, which overide snort alerts. If no alert option is given, then snort defaults to "-A full".

-A fast|full|none|unsock
This option sets the alert mode for the snort alert file. The choices are fast, full, none, and unsock. fast alerting logs the timestamp, source IP and port, destination IP and port, and the message that was defined in the alert rule. full alerting provides the same information as fast alerting, plus it logs the actual packet into the alert file. none disables alerting completely. unsock uses UNIX sockets to pass the information to a monitoring program. I will look into this in more detail and write a special section on using it. Currently there is no output plugin that provides this functionality.
About the Alert File
In daemon mode, this is set to "/var/log/snort.alert". This can be changed by redefining DEFAULT_DAEMON_ALERT_FILE in snort.h. If snort is not running in daemon mode, then the file is set to $log_dir/alert. In future versions of snort there will probably be a way to select this filename without recompiling.

-M smb_host_file
This option configures snort to send alert messages via the WinPopup mechanism. The smb_host_file contains the list of hosts (one per line) to send the messages to. To use this option you must have samba installed on the machine running snort. If both this and the -A option are used on the commandline, then this option will take precedence. There is currently no output plugin to provide this functionality.

-s
This option configures snort to send alert messages to syslog. These are sent with the priority of LOG_AUTHPRIV|LOG_ALERT. This can be changed by editing the source file, but not trivially (it shows up at least five times). If this option is used with either the -A and/or -M option on the commandline, then this option will take precedence. In addition to enabling syslog alerts on the commandline, you can also use the spo_alert_syslog plugin by enabling it in the rules file. More information is available on this later.

Running in the background
There is a flag to tell snort to fork and run in the background. Most users will want this when they run snort as a production system. The option is 

  -D

Copyright 2000 Andrew R. Baker