Page 1 of 1

Snort (Packet Sniffering and Logging mode) Part I

Posted: Fri Aug 01, 2008 11:08 am
by nasacis
Snort is a free and open source Network Intrusion prevention system (NIPS) and network intrusion detection (NIDS) capable
of performing packet logging and real-time traffic analysis on IP networks. Snort was written by Martin Roesch and is now
developed by Sourcefire, of which Roesch is the founder and CTO. Integrated enterprise versions with purpose built hardware
and commercial support services are sold by Sourcefire.

Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect
a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS
fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by
dropping attacks as they are taking place. Snort can be combined with other software such as SnortSnarf, sguil, OSSIM,
and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data. With patches for
the Snort source from Bleeding Edge Threats, support for packet stream antivirus scanning with ClamAV and network
abnormality with SPADE in network layers 3 and 4 is possible with historical observation. ( These patches seem to be no
longer maintained)

Gathering the Required Software
This paper is based on the most recent version of Snort, v2.8.2.1

Snort requires lipbcap for packet capturing. BSD derivatives typically include libpcap; Linux typically does not, so libpcap
should be installed before proceeding to install snort


# cd /usr/src
# wget
# tar zxvf snort-
# cd snort-
# ./configure
# make
# make check --to run any self tests
# make install

Using Snort
To see how snort can be used to read packets off the wire try the following command:
Snort works in 3 Modes but i describe 2 modes and 3rd mode will be upload shorlty

1. Packet Sniffer Mode
- snort -v (TCP/UDP/ICMP/IP) Headers
- snort -vd (application layer)
- snort -vde (data-link layer (MAC))
- snort -vde -i interface src host ipaddress and dst host ipaddress # see the example on very next line
snort -vde -i eth0 src host and dst host
- snort -vde -i interface src host ipaddress and dst port portno # see the exaple on very next line
snort -vde -i eth0 src host and dst port 22
2. Packet Logger Mode
ASCII Logging
- mkdir /temp
- cd /temp
- snort -vde -l ./
- snort -vde -l ./ -i interface src host ipaddress and dst port portno
- snort -vde -l ./ -i interface src host ipaddress
Binary Logging
- snort -b -L snort_binary.log -l ./ -i interface src host ipaddress
- snort -dev -r =Read Binary file
- snort -dev -r src host ipaddress and dst port portno =Read Binary file
- snort -dev -r src host ipaddress and dst port not portno =Read Binary file
- Tie Snort to multiple interfaces
- snort -b -L snort_eth0 -i eth0 <BPFs>
- snort -b -L snort_eth1 -i eth1 <BPFs>

Notice snort even generates a nice table of statistics. Unfortunately, snort cannot provide packet loss statistics under
Linux but is able to do so under both FreeBSD and Solaris.

NIDS and NIPS mode will be upload very shortly, be paitent :)

For any comments, feedback and correction, kindly mail me


Posted: Fri Aug 01, 2008 12:47 pm
by lambda
a lot of people will just need to install the snort package, part of their distribution.

Posted: Fri Aug 01, 2008 2:09 pm
by nasacis
sorry, i could not understand what you wanna say ?

Posted: Fri Aug 01, 2008 4:56 pm
by lambda
apt-get install snort

yum install snort


Posted: Fri Aug 01, 2008 6:20 pm
by nasacis
compiling packages from source are most flexible than precompiled packages

Posted: Sat Aug 02, 2008 12:30 am
by lambda
...except nothing you've pasted up above makes use of any special configuration options that are not provided by precompiled packages.

Posted: Sat Aug 02, 2008 10:51 am
by nasacis
because, i just used snort in simple configuration. i will upload update version of this how to very shortly with special configuration options which would not be available with precompiled packages