Provided by: snort_2.9.7.0-5_amd64 
NAME
Snort - open source network intrusion detection system
SYNOPSIS
snort [-bCdDeEfHIMNOpqQsTUvVwWxXy?] [-A alert-mode ] [-B address-conversion-mask ] [-c
rules-file ] [-F bpf-file ] [-g group-name ] [-G id ] [-h home-net ] [-i interface ] [-k
checksum-mode ] [-K logging-mode ] [-l log-dir ] [-L bin-log-file ] [-m umask ] [-n
packet-count ] [-P snap-length ] [-r tcpdump-file ] [-R name ] [-S variable=value ] [-t
chroot_directory ] [-u user-name ] [-Z pathname ] [--logid id ] [--perfmon-file pathname ]
[--pid-path pathname ] [--snaplen snap-length ] [--help ] [--version ] [--dynamic-engine-
lib file ] [--dynamic-engine-lib-dir directory ] [--dynamic-detection-lib file ]
[--dynamic-detection-lib-dir directory ] [--dump-dynamic-rules directory ] [--dynamic-
preprocessor-lib file ] [--dynamic-preprocessor-lib-dir directory ] [--dynamic-output-lib
file ] [--dynamic-output-lib-dir directory ] [--alert-before-pass ] [--treat-drop-as-alert
] [--treat-drop-as-ignore ] [--process-all-events ] [--enable-inline-test ] [--create-
pidfile ] [--nolock-pidfile ] [--no-interface-pidfile ] [--disable-attribute-reload-thread
] [--pcap-single= tcpdump-file ] [--pcap-filter= filter ] [--pcap-list= list ] [--pcap-
dir= directory ] [--pcap-file= file ] [--pcap-no-filter ] [--pcap-reset ] [--pcap-reload ]
[--pcap-show ] [--exit-check count ] [--conf-error-out ] [--enable-mpls-multicast ]
[--enable-mpls-overlapping-ip ] [--max-mpls-labelchain-len ] [--mpls-payload-type ]
[--require-rule-sid ] [--daq type ] [--daq-mode mode ] [--daq-var name=value ] [--daq-dir
dir ] [--daq-list [dir] ] [--dirty-pig ] [--cs-dir dir ] [--ha-peer ] [--ha-out file ]
[--ha-in file ] expression
DESCRIPTION
Snort is an open source network intrusion detection system, capable of performing real-
time traffic analysis and packet logging on IP networks. It can perform protocol
analysis, content searching/matching and can be used to detect a variety of attacks and
probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more. Snort uses a flexible rules language to describe
traffic that it should collect or pass, as well as a detection engine that utilizes a
modular plugin architecture. Snort also has a modular real-time alerting capability,
incorporating alerting and logging plugins for syslog, a ASCII text files, UNIX sockets or
XML.
Snort has three primary uses. It can be used as a straight packet sniffer like
tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full
blown network intrusion detection system.
Snort logs packets in tcpdump(1) binary format or in Snort's decoded ASCII format to a
hierarchy of logging directories that are named based on the IP address of the "foreign"
host.
OPTIONS
-A alert-mode
Alert using the specified alert-mode. Valid alert modes include fast, full, none,
and unsock. Fast writes alerts to the default "alert" file in a single-line,
syslog style alert message. Full writes the alert to the "alert" file with the
full decoded header as well as the alert message. None turns off alerting. Unsock
is an experimental mode that sends the alert information out over a UNIX socket to
another process that attaches to that socket.
-b Log packets in a tcpdump(1) formatted file. All packets are logged in their
native binary state to a tcpdump formatted log file named with the snort start
timestamp and "snort.log". This option results in much faster operation of the
program
since it doesn't have to spend time in the packet binary->text converters. Snort
can keep up pretty well with 100Mbps networks in '-b' mode. To choose an alternate
name for the binary log file, use the '-L' switch.
-B address-conversion-mask
Convert all IP addresses in home-net to addresses specified by address-conversion-
mask. Used to obfuscate IP addresses within binary logs. Specify home-net with the
'-h' switch. Note this is not the same as $HOME_NET.
-c config-file
Use the rules located in file config-file.
-C Print the character data from the packet payload only (no hex).
-d Dump the application layer data when displaying packets in verbose or packet
logging mode.
-D Run Snort in daemon mode. Alerts are sent to /var/log/snort/alert unless otherwise
specified.
-e Display/log the link layer packet headers.
-E *WIN32 ONLY* Log alerts to the Windows Event Log.
-f Activate PCAP line buffering
-F bpf-file
Read BPF filters from bpf-file. This is handy for people running Snort as a SHADOW
replacement or with a love Of super complex BPF filters. See the "expressions"
section of this man page for more info on writing BPF filters.
-g group
Change the group/GID Snort runs under to group after initialization. This switch
allows Snort to drop root privileges after it's initialization phase has completed
as a security measure.
-G id Use id as a base event ID when logging events.
-h home-net
Set the "home network" to home-net. The format of this address variable is a
network prefix plus a CIDR block, such as 192.168.1.0/24. Once this variable is
set, all decoded packet logging will be done relative to the home network address
space. This is useful because of the way that Snort formats its ASCII log data.
With this value set to the local network, all decoded output will be logged into
decode directories with the address of the foreign computer as the directory name,
which is very useful during traffic analysis. This option does not change
"$HOME_NET" in IDS mode.
-H Force hash tables to be deterministic instead of using a random number generator
for the seed & scale. Useful for testing and generating repeatable results with
the same traffic.
-i interface
Sniff packets on interface.
-I Print out the receiving interface name in alerts.
-k checksum-mode
Tune the internal checksum verification functionality with alert-mode. Valid
checksum modes include all, noip, notcp, noudp, noicmp, and none. All activates
checksum verification for all supported protocols. Noip turns off IP checksum
verification, which is handy if the gateway router is already dropping packets that
fail their IP checksum checks. Notcp turns off TCP checksum verification, all
other checksum modes are on. noudp turns off UDP checksum verification. Noicmp
turns off ICMP checksum verification. None turns off the entire checksum
verification subsystem.
-K logging-mode
Select a packet logging mode. The default is pcap. logging-mode. Valid logging
modes include pcap, ascii, and none. Pcap logs packets through the pcap library
into pcap (tcpdump) format. Ascii logs packets in the old "directories and files"
format with packet printouts in each file. None Turns off packet logging.
-l log-dir
Set the output logging directory to log-dir. All plain text alerts and packet logs
go into this directory. If this option is not specified, the default logging
directory is set to /var/log/snort.
-L binary-log-file
Set the filename of the binary log file to binary-log-file. If this switch is not
used, the default name is a timestamp for the time that the file is created plus
"snort.log".
-m umask
Set the file mode creation mask to umask
-M Log console messages to syslog when not running daemon mode. This switch has no
impact on logging of alerts.
-n packet-count
Process packet-count packets and exit.
-N Turn off packet logging. The program still generates alerts normally.
-O Obfuscate the IP addresses when in ASCII packet dump mode. This switch changes the
IP addresses that get printed to the screen/log file to "xxx.xxx.xxx.xxx". If the
homenet address switch is set (-h), only addresses on the homenet will be
obfuscated while non- homenet IPs will be left visible. Perfect for posting to
your favorite security mailing list!
-p Turn off promiscuous mode sniffing.
-P snap-length
Set the packet snaplen to snap-length. By default, this is set to 1514.
-q Quiet operation. Don't display banner and initialization information.
-Q Enable inline mode operation.
-r tcpdump-file
Read the tcpdump-formatted file tcpdump-file. This will cause Snort to read and
process the file fed to it. This is useful if, for instance, you've got a bunch of
SHADOW files that you want to process for content, or even if you've got a bunch of
reassembled packet fragments which have been written into a tcpdump formatted file.
-R name
Use name as a suffix to the snort pidfile.
-s Send alert messages to syslog. On linux boxen, they will appear in
/var/log/secure, /var/log/messages on many other platforms.
-S variable=value
Set variable name "variable" to value "value". This is useful for setting the
value of a defined variable name in a Snort rules file to a command line specified
value. For instance, if you define a HOME_NET variable name inside of a Snort
rules file, you can set this value from it's predefined value at the command line.
-t chroot
Changes Snort's root directory to chroot after initialization. Please note that
all log/alert filenames are relative to the chroot directory if chroot is used.
-T Snort will start up in self-test mode, checking all the supplied command line
switches and rules files that are handed to it and indicating that everything is
ready to proceed. This is a good switch to use if daemon mode is going to be used,
it verifies that the Snort configuration that is about to be used is valid and
won't fail at run time. Note, Snort looks for either /etc/snort.conf or
./snort.conf. If your config lives elsewhere, use the -c option to specify a valid
config-file.
-u user
Change the user/UID Snort runs under to user after initialization.
-U Changes the timestamp in all logs to be in UTC
-v Be verbose. Prints packets out to the console. There is one big problem with
verbose mode: it's slow. If you are doing IDS work with Snort, don't use the '-v'
switch, you WILL drop packets.
-V Show the version number and exit.
-w Show management frames if running on an 802.11 (wireless) network.
-W *WIN32 ONLY* Enumerate the network interfaces available.
-x Exit if Snort configuration problems occur such as duplicate gid/sid or flowbits
without Stream5.
-X Dump the raw packet data starting at the link layer. This switch overrides the
'-d' switch.
-y Include the year in alert and log files
-Z pathname
Set the perfmonitor preprocessor path/filename to pathname.
-? Show the program usage statement and exit.
--logid id
Same as -G.
--perfmon-file pathname
Same as -Z.
--pid-path directory
Specify the directory for the Snort PID file.
--snaplen snap-length
Same as -P.
--help Same as -?
--version
Same as -V
--dynamic-engine-lib file
Load a dynamic detection engine shared library specified by file.
--dynamic-engine-lib-dir directory
Load all dynamic detection engine shared libraries specified from directory.
--dynamic-detection-lib file
Load a dynamic detection rules shared library specified by file.
--dynamic-detection-lib-dir directory
Load all dynamic detection rules shared libraries specified from directory.
--dump-dynamic-rules directory
Create stub rule files from all loaded dynamic detection rules libraries. Files
will be created in directory. This is required to be done prior to running snort
using those detection rules and the generated rules files must be included in
snort.conf.
--dynamic-preprocessor-lib file
Load a dynamic preprocessor shared library specified by file.
--dynamic-preprocessor-lib-dir directory
Load all dynamic preprocessor shared libraries specified from directory.
--alert-before-pass
Process alert, drop, sdrop, or reject before pass. Default is pass before alert,
drop, etc.
--treat-drop-as-alert
Converts drop, sdrop, and reject rules into alert rules during startup.
--treat-drop-as-ignore
Use drop, sdrop, and reject rules to ignore session traffic when not inline.
--process-all-events
Process all triggered events in group order, per Rule Ordering configuration.
Default stops after first group.
--enable-inline-test
Enable Inline-Test Mode Operation.
--pid-path directory
Specify the path for Snort's PID file.
--create-pidfile
Create PID file, even when not in Daemon mode.
--nolock-pidfile
Do not try to lock Snort PID file.
--no-interface-pidfile
Do not include the interface name in Snort PID file
--pcap-single=tcpdump-file
Same as -r. Added for completeness.
--pcap-filter=filter
Shell style filter to apply when getting pcaps from file or directory. This filter
will apply to any --pcap-file or --pcap-dir arguments following. Use --pcap-no-
filter to delete filter for following --pcap-file or --pcap-dir arguments or
specify --pcap-filter again to forget previous filter and to apply to following
--pcap-file or --pcap-dir arguments.
--pcap-list="list"
A space separated list of pcaps to read.
--pcap-dir=directory
A directory to recurse to look for pcaps. Sorted in ascii order.
--pcap-file=file
File that contains a list of pcaps to read. Can specify path to pcap or directory
to recurse to get pcaps.
--pcap-no-filter
Reset to use no filter when getting pcaps from file or directory.
--pcap-reset
If reading multiple pcaps, reset snort to post-configuration state before reading
next pcap. The default, i.e. without this option, is not to reset state.
--pcap-show
Print a line saying what pcap is currently being read.
--exit-check=count
Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
takes from signaling until DAQ_Stop() is called.
--conf-error-out
Same as -x.
--require-rule-sid
Require an SID for every rule to be correctly threshold all rules.
--daq <type>
Select packet acquisition module (default is pcap).
--daq-mode <mode>
Select the DAQ operating mode.
--daq-var <name=value>
Specify extra DAQ configuration variable.
--daq-dir <dir>
Tell Snort where to find desired DAQ.
--daq-list [<dir>]
List packet acquisition modules available in dir.
--cs-dir <dir>
Tell Snort to use control socket and create the socket in dir.
expression
selects which packets will be dumped. If no expression is given, all packets on
the net will be dumped. Otherwise, only packets for which expression is `true'
will be dumped.
The expression consists of one or more primitives. Primitives usually consist of
an id (name or number) preceded by one or more qualifiers. There are three
different kinds of qualifier:
type qualifiers say what kind of thing the id name or number refers to. Possible
types are host, net and port. E.g., `host foo', `net 128.3', `port 20'. If
there is no type qualifier, host is assumed.
dir qualifiers specify a particular transfer direction to and/or from id.
Possible directions are src, dst, src or dst and src and dst. E.g., `src
foo', `dst net 128.3', `src or dst port ftp-data'. If there is no dir
qualifier, src or dst is assumed. For `null' link layers (i.e. point to
point protocols such as slip) the inbound and outbound qualifiers can be
used to specify a desired direction.
proto qualifiers restrict the match to a particular protocol. Possible protos
are: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and
udp. E.g., `ether src foo', `arp net 128.3', `tcp port 21'. If there is no
proto qualifier, all protocols consistent with the type are assumed. E.g.,
`src foo' means `(ip or arp or rarp) src foo' (except the latter is not
legal syntax), `net bar' means `(ip or arp or rarp) net bar' and `port 53'
means `(tcp or udp) port 53'.
[`fddi' is actually an alias for `ether'; the parser treats them identically as
meaning ``the data link level used on the specified network interface.'' FDDI
headers contain Ethernet-like source and destination addresses, and often contain
Ethernet-like packet types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields. FDDI headers also contain other fields, but you cannot
name them explicitly in a filter expression.]
In addition to the above, there are some special `primitive' keywords that don't
follow the pattern: gateway, broadcast, less, greater and arithmetic expressions.
All of these are described below.
More complex filter expressions are built up by using the words and, or and not to
combine primitives. E.g., `host foo and not port ftp and not port ftp-data'. To
save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or
ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-
data or tcp dst port domain'.
Allowable primitives are:
dst host host
True if the IP destination field of the packet is host, which may be either
an address or a name.
src host host
True if the IP source field of the packet is host.
host host
True if either the IP source or destination of the packet is host. Any of
the above host expressions can be prepended with the keywords, ip, arp, or
rarp as in:
ip host host
which is equivalent to:
ether proto \ip and host host
If host is a name with multiple IP addresses, each address will be checked
for a match.
ether dst ehost
True if the ethernet destination address is ehost. Ehost may be either a
name from /etc/ethers or a number (see ethers(3N) for numeric format).
ether src ehost
True if the ethernet source address is ehost.
ether host ehost
True if either the ethernet source or destination address is ehost.
gateway host
True if the packet used host as a gateway. I.e., the ethernet source or
destination address was host but neither the IP source nor the IP
destination was host. Host must be a name and must be found in both
/etc/hosts and /etc/ethers. (An equivalent expression is
ether host ehost and not host host
which can be used with either names or numbers for host / ehost.)
dst net net
True if the IP destination address of the packet has a network number of
net. Net may be either a name from /etc/networks or a network number (see
networks(4) for details).
src net net
True if the IP source address of the packet has a network number of net.
net net
True if either the IP source or destination address of the packet has a
network number of net.
net net mask mask
True if the IP address matches net with the specific netmask. May be
qualified with src or dst.
net net/len
True if the IP address matches net a netmask len bits wide. May be
qualified with src or dst.
dst port port
True if the packet is ip/tcp or ip/udp and has a destination port value of
port. The port can be a number or a name used in /etc/services (see tcp(4P)
and udp(4P)). If a name is used, both the port number and protocol are
checked. If a number or ambiguous name is used, only the port number is
checked (e.g., dst port 513 will print both tcp/login traffic and udp/who
traffic, and port domain will print both tcp/domain and udp/domain traffic).
src port port
True if the packet has a source port value of port.
port port
True if either the source or destination port of the packet is port. Any of
the above port expressions can be prepended with the keywords, tcp or udp,
as in:
tcp src port port
which matches only tcp packets whose source port is port.
less length
True if the packet has a length less than or equal to length. This is
equivalent to:
len <= length.
greater length
True if the packet has a length greater than or equal to length. This is
equivalent to:
len >= length.
ip proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type protocol.
Protocol can be a number or one of the names icmp, igrp, udp, nd, or tcp.
Note that the identifiers tcp, udp, and icmp are also keywords and must be
escaped via backslash (\), which is \\ in the C-shell.
ether broadcast
True if the packet is an ethernet broadcast packet. The ether keyword is
optional.
ip broadcast
True if the packet is an IP broadcast packet. It checks for both the all-
zeroes and all-ones broadcast conventions, and looks up the local subnet
mask.
ether multicast
True if the packet is an ethernet multicast packet. The ether keyword is
optional. This is shorthand for `ether[0] & 1 != 0'.
ip multicast
True if the packet is an IP multicast packet.
ether proto protocol
True if the packet is of ether type protocol. Protocol can be a number or a
name like ip, arp, or rarp. Note these identifiers are also keywords and
must be escaped via backslash (\). [In the case of FDDI (e.g., `fddi
protocol arp'), the protocol identification comes from the 802.2 Logical
Link Control (LLC) header, which is usually layered on top of the FDDI
header. Tcpdump assumes, when filtering on the protocol identifier, that
all FDDI packets include an LLC header, and that the LLC header is in so-
called SNAP format.]
decnet src host
True if the DECNET source address is host, which may be an address of the
form ``10.123'', or a DECNET host name. [DECNET host name support is only
available on Ultrix systems that are configured to run DECNET.]
decnet dst host
True if the DECNET destination address is host.
decnet host host
True if either the DECNET source or destination address is host.
ip, arp, rarp, decnet
Abbreviations for:
ether proto p
where p is one of the above protocols.
lat, moprc, mopdl
Abbreviations for:
ether proto p
where p is one of the above protocols. Note that Snort does not currently
know how to parse these protocols.
tcp, udp, icmp
Abbreviations for:
ip proto p
where p is one of the above protocols.
expr relop expr
True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and
expr is an arithmetic expression composed of integer constants (expressed in
standard C syntax), the normal binary operators [+, -, *, /, &, |], a length
operator, and special packet data accessors. To access data inside the
packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates
the protocol layer for the index operation. The byte offset, relative to
the indicated protocol layer, is given by expr. Size is optional and
indicates the number of bytes in the field of interest; it can be either
one, two, or four, and defaults to one. The length operator, indicated by
the keyword len, gives the length of the packet.
For example, `ether[0] & 1 != 0' catches all multicast traffic. The
expression `ip[0] & 0xf != 5' catches all IP packets with options. The
expression `ip[6:2] & 0x1fff = 0' catches only unfragmented datagrams and
frag zero of fragmented datagrams. This check is implicitly applied to the
tcp and udp index operations. For instance, tcp[0] always means the first
byte of the TCP header, and never means the first byte of an intervening
fragment.
Primitives may be combined using:
A parenthesized group of primitives and operators (parentheses are special
to the Shell and must be escaped).
Negation (`!' or `not').
Concatenation (`&&' or `and').
Alternation (`||' or `or').
Negation has highest precedence. Alternation and concatenation have equal
precedence and associate left to right. Note that explicit and tokens, not
juxtaposition, are now required for concatenation.
If an identifier is given without a keyword, the most recent keyword is assumed.
For example,
not host vs and ace
is short for
not host vs and host ace
which should not be confused with
not ( host vs or ace )
Expression arguments can be passed to Snort as either a single argument or as
multiple arguments, whichever is more convenient. Generally, if the expression
contains Shell metacharacters, it is easier to pass it as a single, quoted
argument. Multiple arguments are concatenated with spaces before being parsed.
READING PCAPS
Instead of having Snort listen on an interface, you can give it a packet capture to read.
Snort will read and analyze the packets as if they came off the wire. This can be useful
for testing and debugging Snort.
Read a single pcap
$ snort -r foo.pcap
$ snort --pcap-single=foo.pcap
Read pcaps from a file
$ cat foo.txt
foo1.pcap
foo2.pcap
/home/foo/pcaps
$ snort --pcap-file=foo.txt
This will read foo1.pcap, foo2.pcap and all files under /home/foo/pcaps. Note that
Snort will not try to determine whether the files under that directory are really
pcap files or not.
Read pcaps from a command line list
$ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap"
This will read foo1.pcap, foo2.pcap and foo3.pcap.
Read pcaps under a directory
$ snort --pcap-dir="/home/foo/pcaps"
This will include all of the files under /home/foo/pcaps.
Using filters
$ cat foo.txt
foo1.pcap
foo2.pcap
/home/foo/pcaps
$ snort --pcap-filter="*.pcap" --pcap-file=foo.txt
$ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps
The above will only include files that match the shell pattern "*.pcap", in other
words, any file ending in ".pcap".
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps
In the above, the first filter "*.pcap" will only be applied to the pcaps in the file
"foo.txt" (and any directories that are recursed in that file). The addition of the
second filter "*.cap" will cause the first filter to be forgotten and then applied to
the directory /home/foo/pcaps, so only files ending in ".cap" will be included from
that directory.
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-no-filter --pcap-dir=/home/foo/pcaps
In this example, the first filter will be applied to foo.txt, then no filter will be
applied to the files found under /home/foo/pcaps, so all files found under
/home/foo/pcaps will be included.
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-no-filter --pcap-dir=/home/foo/pcaps \
> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2
In this example, the first filter will be applied to foo.txt, then no filter will be
applied to the files found under /home/foo/pcaps, so all files found under
/home/foo/pcaps will be included, then the filter "*.cap" will be applied to files
found under /home/foo/pcaps2.
Resetting state
$ snort --pcap-dir=/home/foo/pcaps --pcap-reset
The above example will read all of the files under /home/foo/pcaps, but after each
pcap is read, Snort will be reset to a post-configuration state, meaning all buffers
will be flushed, statistics reset, etc. For each pcap, it will be like Snort is
seeing traffic for the first time.
Printing the pcap
$ snort --pcap-dir=/home/foo/pcaps --pcap-show
The above example will read all of the files under /home/foo/pcaps and will print a
line indicating which pcap is currently being read.
RULES
Snort uses a simple but flexible rules language to describe network packet signatures and
associate them with actions. The current rules document can be found at
http://www.snort.org/snort-rules.
NOTES
The following signals have the specified effect when sent to the daemon process using the
kill(1) command:
SIGHUP Causes the daemon to close all opened files and restart. Please note that this
will only work if the full pathname is used to invoke snort in daemon mode,
otherwise snort will just exit with an error message being sent to syslogd(8).
SIGUSR1
Causes the program to dump its current packet statistical information to the
console or syslogd(8) if in daemon mode.
SIGUSR2
Causes the program to rotate Perfmonitor statistical information to the console or
syslogd(8) if in daemon mode.
SIGURG Causes the program to reload attribute table.
SIGCHLD
Used internally.
Please refer to manual for more details. Any other signal might cause the daemon to close
all opened files and exit.
HISTORY
Snort has been freely available under the GPL license since 1998.
DIAGNOSTICS
Snort returns a 0 on a successful exit, 1 if it exits on an error.
BUGS
After consulting the BUGS file included with the source distribution, send bug reports to
snort-devel@lists.sourceforge.net
AUTHOR
Martin Roesch <roesch@snort.org>
SEE ALSO
tcpdump(1), pcap(3)
December 2011 SNORT(8)