Provided by: snort_2.9.15.1-6build1_amd64 bug


       Snort - open source network intrusion detection system


       snort  [-bCdDeEfHIMNOpqQsTUvVwWxXy?]  [-A  alert-mode  ] [-B address-conversion-mask ] [-c
       rules-file ] [-F bpf-file ] [-g group-name ] [-G id ] [-h home-net ] [-i interface  ]  [-k
       checksum-mode  ]  [-K  logging-mode  ]  [-l  log-dir  ] [-L bin-log-file ] [-m umask ] [-n
       packet-count ] [-P snap-length ] [-r tcpdump-file ] [-R name ] [-S  variable=value  ]  [-t
       chroot_directory ] [-u user-name ] [-Z pathname ] [--logid id ] [--perfmon-file pathname ]
       [--pid-path pathname ] [--snaplen snap-length ] [--help ] [--version ]  [--dynamic-engine-
       lib   file   ]  [--dynamic-engine-lib-dir  directory  ]  [--dynamic-detection-lib  file  ]
       [--dynamic-detection-lib-dir directory ]  [--dump-dynamic-rules  directory  ]  [--dynamic-
       preprocessor-lib  file ] [--dynamic-preprocessor-lib-dir directory ] [--dynamic-output-lib
       file ] [--dynamic-output-lib-dir directory ] [--alert-before-pass ] [--treat-drop-as-alert
       ]  [--treat-drop-as-ignore  ]  [--process-all-events  ] [--enable-inline-test ] [--create-
       pidfile ] [--nolock-pidfile ] [--no-interface-pidfile ] [--disable-attribute-reload-thread
       ]  [--pcap-single=  tcpdump-file  ] [--pcap-filter= filter ] [--pcap-list= list ] [--pcap-
       dir= directory ] [--pcap-file= file ] [--pcap-no-filter ] [--pcap-reset ] [--pcap-reload ]
       [--pcap-show  ]  [--exit-check  count  ]  [--conf-error-out  ]  [--enable-mpls-multicast ]
       [--enable-mpls-overlapping-ip  ]  [--max-mpls-labelchain-len  ]   [--mpls-payload-type   ]
       [--require-rule-sid  ] [--daq type ] [--daq-mode mode ] [--daq-var name=value ] [--daq-dir
       dir ] [--daq-list [dir] ] [--dirty-pig ] [--cs-dir dir ] [--ha-peer  ]  [--ha-out  file  ]
       [--ha-in file ] expression


       Snort  is  an  open source network intrusion detection system, capable of performing real-
       time traffic analysis and  packet  logging  on  IP  networks.   It  can  perform  protocol
       analysis,  content  searching/matching  and can be used to detect a variety of attacks and
       probes, such as buffer  overflows,  stealth  port  scans,  CGI  attacks,  SMB  probes,  OS
       fingerprinting  attempts, and much more.  Snort uses a flexible rules language to describe
       traffic that it should collect or pass, as well as a  detection  engine  that  utilizes  a
       modular  plugin  architecture.   Snort  also  has a modular real-time alerting capability,
       incorporating alerting and logging plugins for syslog, a ASCII text files, UNIX sockets or

       Snort  has  three  primary  uses.   It  can  be  used  as  a  straight packet sniffer like
       tcpdump(1), a packet logger (useful for network traffic debugging,  etc),  or  as  a  full
       blown network intrusion detection system.

       Snort  logs  packets  in  tcpdump(1) binary format or in Snort's decoded ASCII format to a
       hierarchy of logging directories that are named based on the IP address of  the  "foreign"


       -A alert-mode
              Alert  using the specified alert-mode.  Valid alert modes include fast, full, none,
              and unsock.  Fast writes alerts to the  default  "alert"  file  in  a  single-line,
              syslog  style  alert  message.   Full writes the alert to the "alert" file with the
              full decoded header as well as the alert message.  None turns off alerting.  Unsock
              is  an experimental mode that sends the alert information out over a UNIX socket to
              another process that attaches to that socket.

       -b     Log packets in a tcpdump(1) formatted file.    All  packets  are  logged  in  their
              native  binary  state  to  a  tcpdump formatted log file named with the snort start
              timestamp and "snort.log".  This option results in much  faster  operation  of  the
               since  it doesn't have to spend time in the packet binary->text converters.  Snort
              can keep up pretty well with 100Mbps networks in '-b' mode.  To choose an alternate
              name for the binary log file, use the '-L' switch.

       -B address-conversion-mask
              Convert  all IP addresses in home-net to addresses specified by address-conversion-
              mask.  Used to obfuscate IP addresses within binary logs. Specify home-net with the
              '-h' switch.  Note this is not the same as $HOME_NET.

       -c config-file
              Use the rules located in file config-file.

       -C     Print the character data from the packet payload only (no hex).

       -d     Dump  the  application  layer  data  when  displaying  packets in verbose or packet
              logging mode.

       -D     Run Snort in daemon mode.  Alerts are sent to /var/log/snort/alert unless otherwise

       -e     Display/log the link layer packet headers.

       -E     *WIN32 ONLY* Log alerts to the Windows Event Log.

       -f     Activate PCAP line buffering

       -F bpf-file
              Read BPF filters from bpf-file.  This is handy for people running Snort as a SHADOW
              replacement or with a love Of super complex BPF  filters.   See  the  "expressions"
              section of this man page for more info on writing BPF filters.

       -g group
              Change  the  group/GID Snort runs under to group after initialization.  This switch
              allows Snort to drop root privileges after it's initialization phase has  completed
              as a security measure.

       -G id  Use id as a base event ID when logging events.

       -h home-net
              Set  the  "home  network"  to  home-net.   The format of this address variable is a
              network prefix plus a CIDR block, such as  Once  this  variable  is
              set,  all  decoded packet logging will be done relative to the home network address
              space.  This is useful because of the way that Snort formats its  ASCII  log  data.
              With  this  value  set to the local network, all decoded output will be logged into
              decode directories with the address of the foreign computer as the directory  name,
              which  is  very  useful  during  traffic  analysis.  This  option  does  not change
              "$HOME_NET" in IDS mode.

       -H     Force hash tables to be deterministic instead of using a  random  number  generator
              for  the  seed  & scale.  Useful for testing and generating repeatable results with
              the same traffic.

       -i interface
              Sniff packets on interface.

       -I     Print out the receiving interface name in alerts.

       -k checksum-mode
              Tune the internal  checksum  verification  functionality  with  alert-mode.   Valid
              checksum  modes  include  all, noip, notcp, noudp, noicmp, and none.  All activates
              checksum verification for all supported protocols.   Noip  turns  off  IP  checksum
              verification, which is handy if the gateway router is already dropping packets that
              fail their IP checksum checks.  Notcp turns  off  TCP  checksum  verification,  all
              other  checksum  modes  are on.  noudp turns off UDP checksum verification.  Noicmp
              turns  off  ICMP  checksum  verification.   None  turns  off  the  entire  checksum
              verification subsystem.

       -K logging-mode
              Select  a  packet logging mode.  The default is pcap.  logging-mode.  Valid logging
              modes include pcap, ascii, and none.  Pcap logs packets through  the  pcap  library
              into  pcap (tcpdump) format.  Ascii logs packets in the old "directories and files"
              format with packet printouts in each file.  None Turns off packet logging.

       -l log-dir
              Set the output logging directory to log-dir.  All plain text alerts and packet logs
              go  into  this  directory.   If  this  option is not specified, the default logging
              directory is set to /var/log/snort.

       -L binary-log-file
              Set the filename of the binary log file to binary-log-file.  If this switch is  not
              used,  the  default  name is a timestamp for the time that the file is created plus

       -m umask
              Set the file mode creation mask to umask

       -M     Log console messages to syslog when not running daemon mode. Using both -D  and  -M
              will  send  all  messages  to syslog including e.g. SIGUSR1 dump packet stats. This
              switch has no impact on logging of alerts.

       -n packet-count
              Process packet-count packets and exit.

       -N     Turn off packet logging.  The program still generates alerts normally.

       -O     Obfuscate the IP addresses when in ASCII packet dump mode.  This switch changes the
              IP  addresses that get printed to the screen/log file to "".  If the
              homenet address switch  is  set  (-h),  only  addresses  on  the  homenet  will  be
              obfuscated  while  non-  homenet  IPs will be left visible.  Perfect for posting to
              your favorite security mailing list!

       -p     Turn off promiscuous mode sniffing.

       -P snap-length
              Set the packet snaplen to snap-length.  By default, this is set to 1514.

       -q     Quiet operation. Don't display banner and  initialization  information.  In  daemon
              mode, banner and initialization information is not logged to syslog.

       -Q     Enable inline mode operation.

       -r tcpdump-file
              Read  the  tcpdump-formatted  file tcpdump-file.  This will cause Snort to read and
              process the file fed to it.  This is useful if, for instance, you've got a bunch of
              SHADOW files that you want to process for content, or even if you've got a bunch of
              reassembled packet fragments which have been written into a tcpdump formatted file.

       -R name
              Use name as a suffix to the snort pidfile.

       -s     Send  alert  messages  to  syslog.   On  linux   boxen,   they   will   appear   in
              /var/log/secure, /var/log/messages on many other platforms.

       -S variable=value
              Set  variable  name  "variable"  to  value "value".  This is useful for setting the
              value of a defined variable name in a Snort rules file to a command line  specified
              value.   For  instance,  if  you  define a HOME_NET variable name inside of a Snort
              rules file, you can set this value from it's predefined value at the command line.

       -t chroot
              Changes Snort's root directory to chroot after initialization.   Please  note  that
              all log/alert filenames are relative to the chroot directory if chroot is used.

       -T     Snort  will  start  up  in  self-test  mode, checking all the supplied command line
              switches and rules files that are handed to it and indicating  that  everything  is
              ready to proceed.  This is a good switch to use if daemon mode is going to be used,
              it verifies that the Snort configuration that is about to  be  used  is  valid  and
              won't   fail  at  run  time.  Note,  Snort  looks  for  either  /etc/snort.conf  or
              ./snort.conf.  If your config lives elsewhere, use the -c option to specify a valid

       -u user
              Change the user/UID Snort runs under to user after initialization.

       -U     Changes the timestamp in all logs to be in UTC

       -v     Be  verbose.   Prints  packets  out  to the console.  There is one big problem with
              verbose mode: it's slow.  If you are doing IDS work with Snort, don't use the  '-v'
              switch, you WILL drop packets.

       -V     Show the version number and exit.

       -w     Show management frames if running on an 802.11 (wireless) network.

       -W     *WIN32 ONLY* Enumerate the network interfaces available.

       -x     Exit  if  Snort  configuration problems occur such as duplicate gid/sid or flowbits
              without Stream5.

       -X     Dump the raw packet data starting at the link layer.   This  switch  overrides  the
              '-d' switch.

       -y     Include the year in alert and log files

       -Z pathname
              Set the perfmonitor preprocessor path/filename to pathname.

       -?     Show the program usage statement and exit.

       --logid id
              Same as -G.

       --perfmon-file pathname
              Same as -Z.

       --pid-path directory
              Specify the directory for the Snort PID file.

       --snaplen snap-length
              Same as -P.

       --help Same as -?

              Same as -V

       --dynamic-engine-lib file
              Load a dynamic detection engine shared library specified by file.

       --dynamic-engine-lib-dir directory
              Load all dynamic detection engine shared libraries specified from directory.

       --dynamic-detection-lib file
              Load a dynamic detection rules shared library specified by file.

       --dynamic-detection-lib-dir directory
              Load all dynamic detection rules shared libraries specified from directory.

       --dump-dynamic-rules directory
              Create  stub  rule  files from all loaded dynamic detection rules libraries.  Files
              will be created in directory.  This is required to be done prior to  running  snort
              using  those  detection  rules  and  the  generated rules files must be included in

       --dynamic-preprocessor-lib file
              Load a dynamic preprocessor shared library specified by file.

       --dynamic-preprocessor-lib-dir directory
              Load all dynamic preprocessor shared libraries specified from directory.

              Process alert, drop, sdrop, or reject before pass.  Default is pass  before  alert,
              drop, etc.

              Converts drop, sdrop, and reject rules into alert rules during startup.

              Use drop, sdrop, and reject rules to ignore session traffic when not inline.

              Process  all  triggered  events  in  group  order, per Rule Ordering configuration.
              Default stops after first group.

              Enable Inline-Test Mode Operation.

       --pid-path directory
              Specify the path for Snort's PID file.

              Create PID file, even when not in Daemon mode.

              Do not try to lock Snort PID file.

              Do not include the interface name in Snort PID file

              Same as -r.  Added for completeness.

              Shell style filter to apply when getting pcaps from file or directory.  This filter
              will  apply  to  any --pcap-file or --pcap-dir arguments following.  Use --pcap-no-
              filter to delete filter  for  following  --pcap-file  or  --pcap-dir  arguments  or
              specify  --pcap-filter  again  to  forget previous filter and to apply to following
              --pcap-file or --pcap-dir arguments.

              A space separated list of pcaps to read.

              A directory to recurse to look for pcaps.  Sorted in ascii order.

              File that contains a list of pcaps to read.  Can specify path to pcap or  directory
              to recurse to get pcaps.

              Reset to use no filter when getting pcaps from file or directory.

              If  reading  multiple pcaps, reset snort to post-configuration state before reading
              next pcap.  The default, i.e. without this option, is not to reset state.

              Print a line saying what pcap is currently being read.

              Signal termination after <count> callbacks from DAQ_Acquire(), showing the time  it
              takes from signaling until DAQ_Stop() is called.

              Same as -x.

              Require an SID for every rule to be correctly threshold all rules.

       --daq <type>
              Select packet acquisition module (default is pcap).

       --daq-mode <mode>
              Select the DAQ operating mode.

       --daq-var <name=value>
              Specify extra DAQ configuration variable.

       --daq-dir <dir>
              Tell Snort where to find desired DAQ.

       --daq-list [<dir>]
              List packet acquisition modules available in dir.

       --cs-dir <dir>
              Tell Snort to use control socket and create the socket in dir.

              selects  which  packets  will be dumped.  If no expression is given, all packets on
              the net will be dumped.  Otherwise, only packets for  which  expression  is  `true'
              will be dumped.

              The  expression  consists of one or more primitives.  Primitives usually consist of
              an id (name or number) preceded  by  one  or  more  qualifiers.   There  are  three
              different kinds of qualifier:

              type   qualifiers say what kind of thing the id name or number refers to.  Possible
                     types are host, net and port.  E.g., `host foo', `net 128.3', `port 20'.  If
                     there is no type qualifier, host is assumed.

              dir    qualifiers  specify  a  particular  transfer  direction  to  and/or from id.
                     Possible directions are src, dst, src or dst and src and  dst.   E.g.,  `src
                     foo',  `dst  net  128.3',  `src  or  dst port ftp-data'.  If there is no dir
                     qualifier, src or dst is assumed.  For `null' link  layers  (i.e.  point  to
                     point  protocols  such  as  slip) the inbound and outbound qualifiers can be
                     used to specify a desired direction.

              proto  qualifiers restrict the match to a  particular  protocol.   Possible  protos
                     are:  ether,  fddi,  ip,  arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and
                     udp.  E.g., `ether src foo', `arp net 128.3', `tcp port 21'.  If there is no
                     proto  qualifier, all protocols consistent with the type are assumed.  E.g.,
                     `src foo' means `(ip or arp or rarp) src foo'  (except  the  latter  is  not
                     legal  syntax),  `net bar' means `(ip or arp or rarp) net bar' and `port 53'
                     means `(tcp or udp) port 53'.

              [`fddi' is actually an alias for `ether'; the parser  treats  them  identically  as
              meaning  ``the  data  link  level  used on the specified network interface.''  FDDI
              headers contain Ethernet-like source and destination addresses, and  often  contain
              Ethernet-like packet types, so you can filter on these FDDI fields just as with the
              analogous Ethernet fields.  FDDI headers also contain other fields, but you  cannot
              name them explicitly in a filter expression.]

              In  addition  to  the above, there are some special `primitive' keywords that don't
              follow the pattern: gateway, broadcast, less, greater and  arithmetic  expressions.
              All of these are described below.

              More  complex filter expressions are built up by using the words and, or and not to
              combine primitives.  E.g., `host foo and not port ftp and not port  ftp-data'.   To
              save  typing, identical qualifier lists can be omitted.  E.g., `tcp dst port ftp or
              ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst  port  ftp-
              data or tcp dst port domain'.

              Allowable primitives are:

              dst host host
                     True  if the IP destination field of the packet is host, which may be either
                     an address or a name.

              src host host
                     True if the IP source field of the packet is host.

              host host
                     True if either the IP source or destination of the packet is host.   Any  of
                     the  above  host expressions can be prepended with the keywords, ip, arp, or
                     rarp as in:
                          ip host host
                     which is equivalent to:
                          ether proto \ip and host host
                     If host is a name with multiple IP addresses, each address will  be  checked
                     for a match.

              ether dst ehost
                     True  if  the  ethernet destination address is ehost.  Ehost may be either a
                     name from /etc/ethers or a number (see ethers(3N) for numeric format).

              ether src ehost
                     True if the ethernet source address is ehost.

              ether host ehost
                     True if either the ethernet source or destination address is ehost.

              gateway host
                     True if the packet used host as a gateway.  I.e.,  the  ethernet  source  or
                     destination  address  was  host  but  neither  the  IP  source  nor  the  IP
                     destination was host.  Host must be  a  name  and  must  be  found  in  both
                     /etc/hosts and /etc/ethers.  (An equivalent expression is
                          ether host ehost and not host host
                     which can be used with either names or numbers for host / ehost.)

              dst net net
                     True  if  the  IP  destination address of the packet has a network number of
                     net. Net may be either a name from /etc/networks or a  network  number  (see
                     networks(4) for details).

              src net net
                     True if the IP source address of the packet has a network number of net.

              net net
                     True  if  either  the  IP  source or destination address of the packet has a
                     network number of net.

              net net mask mask
                     True if the IP address matches  net  with  the  specific  netmask.   May  be
                     qualified with src or dst.

              net net/len
                     True  if  the  IP  address  matches  net  a  netmask  len bits wide.  May be
                     qualified with src or dst.

              dst port port
                     True if the packet is ip/tcp or ip/udp and has a destination port  value  of
                     port.  The port can be a number or a name used in /etc/services (see tcp(4P)
                     and udp(4P)).  If a name is used, both the  port  number  and  protocol  are
                     checked.   If  a  number  or ambiguous name is used, only the port number is
                     checked (e.g., dst port 513 will print both tcp/login  traffic  and  udp/who
                     traffic, and port domain will print both tcp/domain and udp/domain traffic).

              src port port
                     True if the packet has a source port value of port.

              port port
                     True if either the source or destination port of the packet is port.  Any of
                     the above port expressions can be prepended with the keywords, tcp  or  udp,
                     as in:
                          tcp src port port
                     which matches only tcp packets whose source port is port.

              less length
                     True  if  the  packet  has  a  length less than or equal to length.  This is
                     equivalent to:
                          len <= length.

              greater length
                     True if the packet has a length greater than or equal to  length.   This  is
                     equivalent to:
                          len >= length.

              ip proto protocol
                     True  if  the packet is an ip packet (see ip(4P)) of protocol type protocol.
                     Protocol can be a number or one of the names icmp, igrp, udp,  nd,  or  tcp.
                     Note  that  the identifiers tcp, udp, and icmp are also keywords and must be
                     escaped via backslash (\), which is \\ in the C-shell.

              ether broadcast
                     True if the packet is an ethernet broadcast packet.  The  ether  keyword  is

              ip broadcast
                     True  if  the packet is an IP broadcast packet.  It checks for both the all-
                     zeroes and all-ones broadcast conventions, and looks  up  the  local  subnet

              ether multicast
                     True  if  the  packet is an ethernet multicast packet.  The ether keyword is
                     optional.  This is shorthand for `ether[0] & 1 != 0'.

              ip multicast
                     True if the packet is an IP multicast packet.

              ether proto protocol
                     True if the packet is of ether type protocol.  Protocol can be a number or a
                     name  like  ip,  arp, or rarp.  Note these identifiers are also keywords and
                     must be escaped via backslash (\).   [In  the  case  of  FDDI  (e.g.,  `fddi
                     protocol  arp'),  the  protocol  identification comes from the 802.2 Logical
                     Link Control (LLC) header, which is usually  layered  on  top  of  the  FDDI
                     header.   Tcpdump  assumes,  when filtering on the protocol identifier, that
                     all FDDI packets include an LLC header, and that the LLC header  is  in  so-
                     called SNAP format.]

              decnet src host
                     True  if  the  DECNET source address is host, which may be an address of the
                     form ``10.123'', or a DECNET host name.  [DECNET host name support  is  only
                     available on Ultrix systems that are configured to run DECNET.]

              decnet dst host
                     True if the DECNET destination address is host.

              decnet host host
                     True if either the DECNET source or destination address is host.

              ip, arp, rarp, decnet
                     Abbreviations for:
                          ether proto p
                     where p is one of the above protocols.

              lat, moprc, mopdl
                     Abbreviations for:
                          ether proto p
                     where  p  is one of the above protocols.  Note that Snort does not currently
                     know how to parse these protocols.

              tcp, udp, icmp
                     Abbreviations for:
                          ip proto p
                     where p is one of the above protocols.

              expr relop expr
                     True if the relation holds, where relop is one of >, <, >=, <=, =,  !=,  and
                     expr is an arithmetic expression composed of integer constants (expressed in
                     standard C syntax), the normal binary operators [+, -, *, /, &, |], a length
                     operator,  and  special  packet  data  accessors.  To access data inside the
                     packet, use the following syntax:
                          proto [ expr : size ]
                     Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates
                     the  protocol  layer  for the index operation.  The byte offset, relative to
                     the indicated protocol layer, is  given  by  expr.   Size  is  optional  and
                     indicates  the  number  of  bytes in the field of interest; it can be either
                     one, two, or four, and defaults to one.  The length operator,  indicated  by
                     the keyword len, gives the length of the packet.

                     For  example,  `ether[0]  &  1  !=  0'  catches  all multicast traffic.  The
                     expression `ip[0] & 0xf != 5' catches  all  IP  packets  with  options.  The
                     expression  `ip[6:2]  &  0x1fff = 0' catches only unfragmented datagrams and
                     frag zero of fragmented datagrams.  This check is implicitly applied to  the
                     tcp  and  udp index operations.  For instance, tcp[0] always means the first
                     byte of the TCP header, and never means the first  byte  of  an  intervening

              Primitives may be combined using:

                     A  parenthesized  group of primitives and operators (parentheses are special
                     to the Shell and must be escaped).

                     Negation (`!' or `not').

                     Concatenation (`&&' or `and').

                     Alternation (`||' or `or').

              Negation  has  highest  precedence.   Alternation  and  concatenation  have   equal
              precedence  and  associate  left  to  right.   Note  that  explicit and tokens, not
              juxtaposition, are now required for concatenation.

              If an identifier is given without a keyword, the most recent  keyword  is  assumed.
              For example,
                   not host vs and ace
              is short for
                   not host vs and host ace
              which should not be confused with
                   not ( host vs or ace )

              Expression  arguments  can  be  passed  to  Snort as either a single argument or as
              multiple arguments, whichever is more convenient.   Generally,  if  the  expression
              contains  Shell  metacharacters,  it  is  easier  to  pass  it  as a single, quoted
              argument.  Multiple arguments are concatenated with spaces before being parsed.


       Instead of having Snort listen on an interface, you can give it a packet capture to  read.
       Snort  will read and analyze the packets as if they came off the wire.  This can be useful
       for testing and debugging Snort.

       Read a single pcap

            $ snort -r foo.pcap
            $ snort --pcap-single=foo.pcap

       Read pcaps from a file

            $ cat foo.txt

            $ snort --pcap-file=foo.txt

            This will read foo1.pcap, foo2.pcap and all files under /home/foo/pcaps.   Note  that
            Snort  will  not  try  to determine whether the files under that directory are really
            pcap files or not.

       Read pcaps from a command line list

            $ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap"

            This will read foo1.pcap, foo2.pcap and foo3.pcap.

       Read pcaps under a directory

            $ snort --pcap-dir="/home/foo/pcaps"

            This will include all of the files under /home/foo/pcaps.

       Using filters

            $ cat foo.txt

            $ snort --pcap-filter="*.pcap" --pcap-file=foo.txt
            $ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps

            The above will only include files that match the shell  pattern  "*.pcap",  in  other
            words, any file ending in ".pcap".

            $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
            > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps

            In the above, the first filter "*.pcap" will only be applied to the pcaps in the file
            "foo.txt" (and any directories that are recursed in that file).  The addition of  the
            second filter "*.cap" will cause the first filter to be forgotten and then applied to
            the directory /home/foo/pcaps, so only files ending in ".cap" will be  included  from
            that directory.

            $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
            > --pcap-no-filter --pcap-dir=/home/foo/pcaps

            In  this example, the first filter will be applied to foo.txt, then no filter will be
            applied  to  the  files  found  under  /home/foo/pcaps,  so  all  files  found  under
            /home/foo/pcaps will be included.

            $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
            > --pcap-no-filter --pcap-dir=/home/foo/pcaps \
            > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2

            In  this example, the first filter will be applied to foo.txt, then no filter will be
            applied  to  the  files  found  under  /home/foo/pcaps,  so  all  files  found  under
            /home/foo/pcaps  will  be  included, then the filter "*.cap" will be applied to files
            found under /home/foo/pcaps2.

       Resetting state

            $ snort --pcap-dir=/home/foo/pcaps --pcap-reset

            The above example will read all of the files under /home/foo/pcaps,  but  after  each
            pcap  is read, Snort will be reset to a post-configuration state, meaning all buffers
            will be flushed, statistics reset, etc.  For each pcap, it  will  be  like  Snort  is
            seeing traffic for the first time.

       Printing the pcap

            $ snort --pcap-dir=/home/foo/pcaps --pcap-show

            The  above  example will read all of the files under /home/foo/pcaps and will print a
            line indicating which pcap is currently being read.


       Snort uses a simple but flexible rules language to describe network packet signatures  and
       associate   them   with   actions.    The   current   rules   document  can  be  found  at


       The following signals have the specified effect when sent to the daemon process using  the
       kill(1) command:

       SIGHUP Causes  the  daemon  to  close all opened files and restart.  Please note that this
              will only work if the full pathname  is  used  to  invoke  snort  in  daemon  mode,
              otherwise snort will just exit with an error message being sent to syslogd(8).

              Causes  the  program  to  dump  its  current  packet statistical information to the
              console or syslogd(8) if in daemon mode.

              Causes the program to rotate Perfmonitor statistical information to the console  or
              syslogd(8) if in daemon mode.

       SIGURG Causes the program to reload attribute table.

              Used internally.

       Please  refer to manual for more details. Any other signal might cause the daemon to close
       all opened files and exit.


       In Debian, there are several ways in which Snort can be configured. The configuration file
       /etc/snort/snort.conf  provides  the  configuration  for  the  software  itself. Users can
       customise this configuration.  In systems which have multiple interfaces, it  is  possible
       to  have  a  different  Snort  instance  per  network  interface  and  adjust the specific
       configuration for one interface  using  /etc/snort/snort.INTERFACE.conf  (where  INTERFACE
       should be replaced by the interface name).

       There are additional configuration files in /etc/snort which modify Snort behaviour. These
       include: attribute_table.dtd, file_magic.conf, threshold.conf and

       In addition, Debian provides a specific configuration file to manage the startup of  Snort
       through  the /etc/snort/snort.debian.conf configuration file. This file is modified by the
       packaging system, using debconf, and defines whether Snort is to be started up  on  system
       boot  or  manually,  defines  specific options for the Snort daemon when it is started and
       sets values to be used by the snort-stat cron script (if enabled).

       Finally, the configuration file /etc/default/snort is used to define parameters which  are
       applicable to the Snort startup (init.d) script. These include: daemon startup parameters,
       user and group Snort will run as,  log  directory  and  whether  to  run  Snort  when  the
       interfaces to be monitored are not available.


       In   Debian,   the   Snort   logs   are   available  under  /var/log/snort/  and  includes
       /var/log/snort/snort.log, /var/log/snort/snort.alert and /var/log/snort/

       The first two of these logs are saved using the unified format which can be read using the
       u2spewfoo  tool.   For more information read /usr/share/doc/snort/README.unified2 which is
       provided by the snort-doc package. The log files in unified2 format can also be  converted
       to  other  formats  (currently only pcap is supported) using the u2boat tool. The last log
       file ( is a one line format that provides fast alerts. These  alerts  are
       read  by  the  snort-stat and sent by email to a designed administrator if eneabled in the
       Debian package configuration.

       The location of the log directory can be adjusted through the configuration of the  LOGDIR
       parameter in the /etc/default/snort configuration file.

       The   log   file   /var/log/snort/snort.log   contains   the  packets  logged,  while  the
       /var/log/snort/snort.alert contains only the alerts generated.

       In addition to this, all alerts are logged into syslog using LOG_AUTH and LOG_ALERT.

       The logging and alerting  mode can be modified by  configuring  the  /etc/snort/snort.conf


       Snort has been freely available under the GPL license since 1998.


       Snort returns a 0 on a successful exit, 1 if it exits on an error.


       After  consulting  the  BUGS  file  included  with the source distributon and available in
       Debian systems in /usr/share/doc/BUGS, as well as the Debian-specific  bugs  published  in  please  send  bug  reports to
       Debian using the reportbug program. For more information about reporting  bugs  in  Debian
       please read

       If you believe the bug lies with the upstream package, please send bug reports directly to


       The main author of Snort is Martin Roesch <>

       In addition, many people have contributed to Snort development. For  a  full  list  please
       read /usr/share/doc/snort/CREDITS.gz

       This Debian package was created by  Christian Hammers <> (from 1999 to 2001),
       Robert van der Meulen <> (2001 to 2002), Sander Smeenk <>
       (2002  to 2004) and Javier Fernández-Sanguino <> (2004 to 2020). It includes
       with contributions from many different Debian  developers  and  users.  All  of  them  are
       credited     in    the    Debian    changelog    file    which    can    be    found    at
       /usr/share/doc/snort/changelog.Debian.gz and /usr/share/doc/snort/copyright


       tcpdump(1), pcap(3), u2boat(8), u2spewfoo(8), snort-stat(8)

                                          December 2011                                  SNORT(8)