A structured overview of Snort modes, commands, and rule syntax for network monitoring, intrusion detection, and prevention.
(Snort can run in multiple modes depending on your goal)
| Command(s) | Explanation |
|---|---|
snort -V |
Shows Snort version. |
snort -W |
Lists available network interfaces. |
snort -i <iface> |
Specifies which network interface to listen on (e.g., snort -i eth0). |
snort -c <config_file> |
Runs Snort with a specific configuration file. |
snort -T -c <config_file> |
Tests configuration file for errors (does not start capture). |
snort -q |
Quiet mode (suppresses banner and status messages). |
(Capture and display packets in real time, like tcpdump)
| Command(s) | Explanation |
|---|---|
snort -v |
Displays packet headers on screen. |
snort -vd |
Displays packet headers + data payload. |
snort -vde |
Displays headers + data + link-level headers (full packet details). |
(Capture packets and save them to log files for later analysis)
| Command(s) | Explanation |
|---|---|
snort -l <log_dir> |
Logs packets into a directory. |
snort -b -l <log_dir> |
Logs packets in binary (pcap) format. |
snort -r <file> |
Reads and analyzes a saved pcap file. |
(Use rules to detect suspicious/malicious traffic)
| Command(s) | Explanation |
|---|---|
snort -c <snort.conf> -i <iface> |
Runs Snort in IDS mode with rules loaded from config file. |
snort -A console -c <snort.conf> |
Shows alerts directly in the console. |
snort -A fast -c <snort.conf> |
Logs alerts in fast format (one-line summary). |
snort -A full -c <snort.conf> |
Logs detailed alerts (default format). |
snort -A unsock -c <snort.conf> |
Sends alerts to UNIX socket. |
(Rules define how Snort detects suspicious traffic, written in simple rule language)
Rule Format:
action protocol src_ip src_port -> dst_ip dst_port (options)
| Example Rule | Explanation |
|---|---|
alert icmp any any -> any any (msg:"ICMP test detected"; sid:1000001;) |
Alerts when any ICMP packet (ping) is seen. |
alert tcp any any -> any 21 (msg:"FTP connection detected"; sid:1000002;) |
Alerts when traffic to port 21 (FTP) is detected. |
alert udp any any -> any 53 (msg:"DNS request detected"; sid:1000003;) |
Alerts when UDP traffic to port 53 (DNS) is detected. |
alert tcp any any -> any 80 (content:"password"; msg:"Cleartext password detected"; sid:1000004;) |
Alerts when HTTP traffic contains the word “password.” |
alert tcp any any -> any 443 (flow:to_server,established; msg:"HTTPS traffic detected"; sid:1000005;) |
Alerts on established HTTPS connections. |