Provided by: snort-pgsql_2.3.3-5ubuntu2_i386 bug


       Snort - open source network intrusion detection system


       snort   [-bCdDeGINoOpqsTUvVxXyz?]   [-A   alert-mode   ]  [-B  address-
       conversion-mask ] [-c rules-file ] [-F bpf-file ]  [-g  grpname  ]  [-h
       home-net  ]  [-i interface ] [-k checksum-mode ] [-l log-dir ] [-L bin-
       log-file ] [-m umask  ]  [-n  packet-count  ]  [-P  snap-length  ]  [-r
       tcpdump-file  ] [-S variable=value ] [-t chroot_directory ] [-u usrname
       ] expression


       Snort is an open source network intrusion detection system, capable  of
       performing   real-time  traffic  analysis  and  packet  logging  on  IP
       networks.  It can perform protocol analysis, content searching/matching
       and  can  be  used  to  detect a variety of attacks and probes, such as
       buffer overflows, stealth port  scans,  CGI  attacks,  SMB  probes,  OS
       fingerprinting  attempts,  and  much more.  Snort uses a flexible rules
       language to describe traffic that it should collect or pass, as well as
       a  detection engine that utilizes a modular plugin architecture.  Snort
       also  has  a  modular  real-time  alerting  capability,   incorporating
       alerting  and  logging  plugins  for  syslog,  a ASCII text files, UNIX
       sockets, database (Mysql/PostgreSQL/Oracle/ODBC) or XML.

       Snort has three primary uses.  It can be  used  as  a  straight  packet
       sniffer  like  tcpdump(1),  a packet logger (useful for network traffic
       debugging, etc), or as a full blown network intrusion detection system.

       Snort  logs  packets  in  tcpdump(1) binary format, to a database or in
       Snort’s decoded ASCII format to a hierarchy of logging directories that
       are named based on the IP address of the "foreign" host.


       -A alert-mode
              Alert using the specified alert-mode.  Valid alert modes include
              fast, full, none, and unsock.  Fast writes alerts to the default
              "alert" file in a single-line, syslog style alert message.  Full
              writes the alert to the  "alert"  file  with  the  full  decoded
              header  as  well as the alert message.  None turns off alerting.
              Unsock is an experimental mode that sends the alert  information
              out  over a UNIX socket to another process that attaches to that

       -b     Log packets in a tcpdump(1) formatted file.    All  packets  are
              logged  in  their native binary state to a tcpdump formatted log
              file named with the snort start timestamp and "snort.log".  This
              option results in much faster operation of the program
               since  it doesn’t have to spend time in the packet binary->text
              converters.  Snort can keep up pretty well with 100Mbps networks
              in  ’-b’  mode.   To choose an alternate name for the binary log
              file, use the ’-L’ switch.

       -B address-conversion-mask
              Convert all IP addresses in home-net to addresses  specified  by
              address-conversion-mask.   Used to obfuscate IP addresses within
              binary logs. Specify home-net with the ’-h’ switch.   Note  this
              is not the same as $HOME_NET.

       -c config-file
              Use the rules located in file config-file.

       -C     Print  the character data from the packet payload only (no hex).

       -d     Dump the application  layer  data  when  displaying  packets  in
              verbose or packet logging mode.

       -D     Run    Snort    in    daemon   mode.    Alerts   are   sent   to
              /var/log/snort/alert unless otherwise specified.

       -e     Display/log the link layer packet headers.

       -F bpf-file
              Read BPF filters  from  bpf-file.   This  is  handy  for  people
              running  Snort  as  a SHADOW replacement or with a love Of super
              complex BPF filters.  See the "expressions" section of this  man
              page for more info on writing BPF fileters.

       -g group
              Change   the   group/GID   Snort   runs  under  to  group  after
              initialization.   This  switch  allows  Snort   to   drop   root
              priveleges  after  it’s  initialization phase has completed as a
              security measure.

       -h home-net
              Set the "home network" to home-net.  The format of this  address
              variable  is  a  network  prefix  plus  a  CIDR  block,  such as
      Once this variable is set, all  decoded  packet
              logging will be done relative to the home network address space.
              This is useful because of the way that Snort formats  its  ASCII
              log data.  With this value set to the local network, all decoded
              output will be logged into decode directories with  the  address
              of  the  foreign  computer  as the directory name, which is very
              useful during traffic analysis.

       -i interface
              Sniff packets on interface.

       -I     Print out the receiving interface name in alerts.

       -k checksum-mode
              Tune  the  internal  checksum  verification  functionality  with
              alert-mode.   Valid  checksum  modes  include  all, noip, notcp,
              noudp, noicmp, and none.  All  activates  checksum  verification
              for  all  supported  protocols.   Noip  turns  off  IP  checksum
              verification, which is handy if the gateway  router  is  already
              dropping  packets  that  fail  their  IP checksum checks.  Notcp
              turns off TCP checksum verification, all  other  checksum  modes
              are  on.   noudp  turns  off  UDP checksum verification.  Noicmp
              turns off ICMP checksum verification.  None turns off the entire
              checksum verification subsystem.

       -l log-dir
              Set  the  output  logging  directory to log-dir.  All plain text
              alerts and packet logs go into this directory.  If  this  option
              is  not  specified,  the  default  logging  directory  is set to

       -L binary-log-file
              Set the filename of the binary log file to binary-log-file.   If
              this switch is not used, the default name is a timestamp for the
              time that the file is created plus "snort.log".

       -m umask
              Set the file mode creation mask to umask

       -n packet-count
              Process packet-count packets and exit.

       -N     Turn off packet logging.  The  program  still  generates  alerts

       -o     Change  the  order  in  which  the rules are applied to packets.
              Instead of being applied in the standard Alert->Pass->Log order,
              this will apply them in Pass->Alert->Log order.

       -O     Obfuscate the IP addresses when in ASCII packet dump mode.  This
              switch  changes  the  IP  addresses  that  get  printed  to  the
              screen/log  file  to  "".  If the homenet address
              switch is set (-h),  only  addresses  on  the  homenet  will  be
              obfuscated while non- homenet IPs will be left visible.  Perfect
              for posting to your favorite security mailing list!

       -p     Turn off promiscuous mode sniffing.

       -P snap-length
              Set the packet snaplen to snap-length

       -q     Quiet  operation.   Don’t  display  banner  and   initialization

       -r tcpdump-file
              Read  the  tcpdump-formatted file tcpdump-file.  This will cause
              Snort to read and process the file fed to it.   This  is  useful
              if,  for  instance,  you’ve got a bunch of SHADOW files that you
              want to process for content, or even if you’ve got  a  bunch  of
              reassembled  packet  fragments  which  have  been written into a
              tcpdump formatted file.

       -s     Send alert messages to syslog.  On linux boxen, they will appear
              in /var/log/secure, /var/log/messages on many other platforms.

       -S variable=value
              Set  variable  name "variable" to value "value".  This is useful
              for setting the value of a defined  variable  name  in  a  Snort
              rules  file to a command line specified value.  For instance, if
              you define a HOME_NET variable name  inside  of  a  Snort  rules
              file,  you  can set this value from it’s predefined value at the
              command line.

       -t chroot
              Changes Snort’s root directory to chroot  after  initialization.
              Please  note  that  all  log/alert filenames are relative to the
              chroot directory if chroot is used.

       -T     Snort will start up in self-test mode, checking all the supplied
              command  line switches and rules files that are handed to it and
              indicating that everything is ready to proceed.  This is a  good
              switch  to  use  if daemon mode is going to be used, it verifies
              that the Snort configuration that is about to be used  is  valid
              and  won’t  fail  at  run  time.  Note,  Snort  looks for either
              /etc/snort.conf  or  ./snort.conf.    If   your   config   lives
              elsewhere, use the -c option to specify a valid config-file.

       -u user
              Change   the   user/UID   Snort   runs   under   to  user  after

       -U     Changes the timestamp in all logs to be in UTC

       -v     Be verbose.  Prints packets out to the console.   There  is  one
              big  problem with verbose mode: it’s slow.  If you are doing IDS
              work with Snort, dont  use  the  ’-v’  switch,  you  WILL  drop

       -V     Show the version number and exit.

       -X     Dump  the  raw  packet  data  starting  at the link layer.  This
              switch overrides the ’-d’ switch.

       -y     Include the year in alert and log files

       -z     The -z switch is used in concert with the  stream4  preprocessor
              code.   It  takes  advantage  of  stream4’s  stateful inspection
              capabilities to reduce the amount of spoofing that may  be  done
              against  Snort.   By  default, snort doesn’t worry about the TCP
              state of a packet when it’s about to issue  an  alert.   The  -z
              switch  tells  Snort  to  only  allow alerts to be generated for
              packets that are part of a  known,  established  session.   This
              allows  Snort  to  greatly  reduce the effect of anti-NIDS tools
              like stick and snot.

       -?     Show the program usage statement and exit.

              selects which packets will  be  dumped.   If  no  expression  is
              given,  all  packets on the net will be dumped.  Otherwise, only
              packets for which expression is ‘true’ will be dumped.

              The expression consists of one or more  primitives.   Primitives
              usually  consist  of  an  id (name or number) preceded by one or
              more qualifiers.  There are three different kinds of qualifier:

              type   qualifiers say what kind of thing the id name  or  number
                     refers to.  Possible types are host, net and port.  E.g.,
                     ‘host foo’, ‘net 128.3’, ‘port 20’.  If there is no  type
                     qualifier, host is assumed.

              dir    qualifiers  specify  a  particular  transfer direction to
                     and/or from id.  Possible directions are src, dst, src or
                     dst  and  src and dst.  E.g., ‘src foo’, ‘dst net 128.3’,
                     ‘src  or  dst  port  ftp-data’.   If  there  is  no   dir
                     qualifier, src or dst is assumed.  For ‘null’ link layers
                     (i.e. point to point protocols such as slip) the  inbound
                     and  outbound qualifiers can be used to specify a desired

              proto  qualifiers restrict the match to a  particular  protocol.
                     Possible  protos are: ether, fddi, ip, arp, rarp, decnet,
                     lat, sca, moprc, mopdl, tcp and udp.   E.g.,  ‘ether  src
                     foo’,  ‘arp  net  128.3’,  ‘tcp port 21’.  If there is no
                     proto qualifier, all protocols consistent with  the  type
                     are  assumed.  E.g., ‘src foo’ means ‘(ip or arp or rarp)
                     src foo’ (except the latter is not  legal  syntax),  ‘net
                     bar’  means  ‘(ip  or arp or rarp) net bar’ and ‘port 53’
                     means ‘(tcp or udp) port 53’.

              [‘fddi’ is actually an alias for ‘ether’; the parser treats them
              identically  as  meaning  ‘‘the  data  link  level  used  on the
              specified network interface.’’  FDDI headers  contain  Ethernet-
              like   source  and  destination  addresses,  and  often  contain
              Ethernet-like packet types, so you  can  filter  on  these  FDDI
              fields just as with the analogous Ethernet fields.  FDDI headers
              also contain other fields, but you cannot name  them  explicitly
              in a filter expression.]

              In  addition  to  the  above, there are some special ‘primitive’
              keywords that don’t  follow  the  pattern:  gateway,  broadcast,
              less,  greater  and  arithmetic  expressions.   All of these are
              described below.

              More complex filter expressions are built up by using the  words
              and,  or and not to combine primitives.  E.g., ‘host foo and not
              port ftp and not port  ftp-data’.   To  save  typing,  identical
              qualifier lists can be omitted.  E.g., ‘tcp dst port ftp or ftp-
              data or domain’ is exactly the same as ‘tcp dst port ftp or  tcp
              dst port ftp-data or tcp dst port domain’.

              Allowable primitives are:

              dst host host
                     True  if  the IP destination field of the packet is host,
                     which may be either an address or a name.

              src host host
                     True if the IP source field of the packet is host.

              host host
                     True if either the IP source or destination of the packet
                     is  host.   Any  of  the  above  host  expressions can be
                     prepended with the keywords, ip, arp, or rarp as in:
                          ip host host
                     which is equivalent to:
                          ether proto \ip and host host
                     If host is  a  name  with  multiple  IP  addresses,  each
                     address will be checked for a match.

              ether dst ehost
                     True if the ethernet destination address is ehost.  Ehost
                     may be either a name from /etc/ethers or  a  number  (see
                     ethers(3N) for numeric format).

              ether src ehost
                     True if the ethernet source address is ehost.

              ether host ehost
                     True if either the ethernet source or destination address
                     is ehost.

              gateway host
                     True if the packet used host as  a  gateway.   I.e.,  the
                     ethernet  source  or  destination  address  was  host but
                     neither the IP source nor the IP  destination  was  host.
                     Host  must be a name and must be found in both /etc/hosts
                     and /etc/ethers.  (An equivalent expression is
                          ether host ehost and not host host
                     which can be used with either names or numbers for host /

              dst net net
                     True  if  the  IP destination address of the packet has a
                     network number of net. Net may  be  either  a  name  from
                     /etc/networks  or  a  network number (see networks(4) for

              src net net
                     True if the IP source address of the packet has a network
                     number of net.

              net net
                     True  if  either  the IP source or destination address of
                     the packet has a network number of net.

              net net mask mask
                     True if the IP address  matches  net  with  the  specific
                     netmask.  May be qualified with src or dst.

              net net/len
                     True  if  the  IP  address matches net a netmask len bits
                     wide.  May be qualified with src or dst.

              dst port port
                     True if  the  packet  is  ip/tcp  or  ip/udp  and  has  a
                     destination port value of port.  The port can be a number
                     or  a  name  used  in  /etc/services  (see  tcp(4P)   and
                     udp(4P)).   If  a  name is used, both the port number and
                     protocol are checked.  If a number or ambiguous  name  is
                     used, only the port number is checked (e.g., dst port 513
                     will print both tcp/login traffic  and  udp/who  traffic,
                     and port domain will print both tcp/domain and udp/domain

              src port port
                     True if the packet has a source port value of port.

              port port
                     True if either the source  or  destination  port  of  the
                     packet is port.  Any of the above port expressions can be
                     prepended with the keywords, tcp or udp, as in:
                          tcp src port port
                     which matches only tcp packets whose source port is port.

              less length
                     True  if  the  packet  has a length less than or equal to
                     length.  This is equivalent to:
                          len <= length.

              greater length
                     True if the packet has a length greater than or equal  to
                     length.  This is equivalent to:
                          len >= length.

              ip proto protocol
                     True  if  the  packet  is  an  ip  packet (see ip(4P)) of
                     protocol type protocol.  Protocol can be a number or  one
                     of  the names icmp, igrp, udp, nd, or tcp.  Note that the
                     identifiers tcp, udp, and icmp are also keywords and must
                     be escaped via backslash (\), which is \\ in the C-shell.

              ether broadcast
                     True if the packet is an ethernet broadcast packet.   The
                     ether keyword is optional.

              ip broadcast
                     True  if the packet is an IP broadcast packet.  It checks
                     for  both   the   all-zeroes   and   all-ones   broadcast
                     conventions, and looks up the local subnet mask.

              ether multicast
                     True  if the packet is an ethernet multicast packet.  The
                     ether  keyword  is  optional.   This  is  shorthand   for
                     ‘ether[0] & 1 != 0’.

              ip multicast
                     True if the packet is an IP multicast packet.

              ether proto protocol
                     True  if  the packet is of ether type protocol.  Protocol
                     can be a number or a name like ip, arp,  or  rarp.   Note
                     these  identifiers  are also keywords and must be escaped
                     via backslash (\).  [In the case  of  FDDI  (e.g.,  ‘fddi
                     protocol  arp’),  the  protocol identification comes from
                     the 802.2 Logical Link Control  (LLC)  header,  which  is
                     usually  layered  on  top  of  the  FDDI header.  Tcpdump
                     assumes, when filtering on the protocol identifier,  that
                     all  FDDI packets include an LLC header, and that the LLC
                     header is in so-called SNAP format.]

              decnet src host
                     True if the DECNET source address is host, which  may  be
                     an address of the form ‘‘10.123’’, or a DECNET host name.
                     [DECNET host name support is  only  available  on  Ultrix
                     systems that are configured to run DECNET.]

              decnet dst host
                     True if the DECNET destination address is host.

              decnet host host
                     True  if  either the DECNET source or destination address
                     is host.

              ip, arp, rarp, decnet
                     Abbreviations for:
                          ether proto p
                     where p is one of the above protocols.

              lat, moprc, mopdl
                     Abbreviations for:
                          ether proto p
                     where p is one of the above protocols.  Note  that  Snort
                     does not currently know how to parse these protocols.

              tcp, udp, icmp
                     Abbreviations for:
                          ip proto p
                     where p is one of the above protocols.

              expr relop expr
                     True  if  the relation holds, where relop is one of >, <,
                     >=, <=, =, !=,  and  expr  is  an  arithmetic  expression
                     composed  of  integer  constants (expressed in standard C
                     syntax), the normal binary operators [+, -, *, /, &,  |],
                     a length operator, and special packet data accessors.  To
                     access data inside the packet, use the following syntax:
                          proto [ expr : size ]
                     Proto is one of ether, fddi, ip, arp, rarp, tcp, udp,  or
                     icmp,  and  indicates  the  protocol  layer for the index
                     operation.  The byte offset, relative  to  the  indicated
                     protocol  layer,  is given by expr.  Size is optional and
                     indicates the number of bytes in the field  of  interest;
                     it  can be either one, two, or four, and defaults to one.
                     The length operator, indicated by the keyword len,  gives
                     the length of the packet.

                     For  example,  ‘ether[0]  & 1 != 0’ catches all multicast
                     traffic.  The expression ‘ip[0] & 0xf != 5’  catches  all
                     IP packets with options. The expression ‘ip[6:2] & 0x1fff
                     = 0’ catches only unfragmented datagrams and frag zero of
                     fragmented  datagrams.   This check is implicitly applied
                     to the tcp  and  udp  index  operations.   For  instance,
                     tcp[0] always means the first byte of the TCP header, and
                     never means the first byte of an intervening fragment.

              Primitives may be combined using:

                     A  parenthesized  group  of  primitives   and   operators
                     (parentheses  are  special  to  the  Shell  and  must  be

                     Negation (‘!’ or ‘not’).

                     Concatenation (‘&&’ or ‘and’).

                     Alternation (‘||’ or ‘or’).

              Negation has highest precedence.  Alternation and  concatenation
              have  equal  precedence  and associate left to right.  Note that
              explicit and tokens, not juxtaposition,  are  now  required  for

              If  an  identifier  is  given without a keyword, the most recent
              keyword is assumed.  For example,
                   not host vs and ace
              is short for
                   not host vs and host ace
              which should not be confused with
                   not ( host vs or ace )

              Expression arguments can be passed to Snort as either  a  single
              argument or as multiple arguments, whichever is more convenient.
              Generally, if the expression contains Shell  metacharacters,  it
              is  easier  to  pass  it as a single, quoted argument.  Multiple
              arguments are concatenated with spaces before being parsed.


       Snort uses a simple but flexible rules  language  to  describe  network
       packet  signatures  and associate them with actions.  The current rules
       document can be found at


       The following signals have the specified effect when sent to the daemon
       process using the kill(1) command:

       SIGHUP Causes the daemon to close all opened files and restart.  Please
              note that this will only work if the full pathname  is  used  to
              invoke snort in daemon mode, otherwise snort will just exit with
              an error message being sent to syslogd(8)

              Causes the  program  to  dump  its  current  packet  statistical
              information to the cosole or syslogd(8) if in daemon mode.

       Any  other signal causes the daemon to close all opened files and exit.


       Snort has been freely available under the GPL license since 1998.


       Snort returns a 0 on a successful exit, 1 if it exits on an error.


       After consulting the BUGS file included with the  source  distribution,
       send bug reports to


       Martin Roesch <>


       tcpdump(1), pcap(3)

                                   July 2001                          SNORT(8)