- -A alert-mode
Generates an alert using one of the specified
none, and unsock. Rather than
specifying the alert mode within a configuration file, you can
include it here at the command line.
packets in tcpdump format (i.e.,
libpcap). Files in tcpdump format are smaller, so this is the best
method of recording large amounts of logged data and packets. It is
very fast and may be a good option on high-traffic networks.
- -B address-conversion-mask
Scrambles the networks specified in the
-h (or HOME_NET) setting. This helps hide the real
internal network addresses inside binary logs.
- -c config-file
Allows you to specify which configuration file you want to use. If
you have different configurations with various rules enabled, you can
specify which configuration to use at the command line. This option
is required when Snort is run in
Prints the character data found in the packet
payload, rather than displaying it in hexadecimal format. Reading
this information is easier than wrestling with Hex output.
Displays the application layer data when in verbose or packet logging
Runs Snort in daemon mode. Alerts are dumped to the
alert file in the logging directory
(/var/log/snort by default). Daemon mode is
useful if you wish to automate the startup of Snort in the event of a
reboot. Passing this option to Snort in a command script starts Snort
in the background. No error messages are printed to the console in
this mode. Do not use this mode unless you are already familiar with
Snort and have a working, viable configuration. (Use the
-T option, discussed below, to test your
configuration before using daemon mode.)
Displays or logs the link layer packet headers. This is the more
verbose method of viewing captured packets when running Snort in
- -F bpf-file
Reads Berkeley Packet
Filters (BPF) from a bpf
file. These filters are useful when running Snort as a SHADOW
replacement or when performing an analysis via a command-line filter.
This filter is commonly used to tune out noise or random alerts. (It
is not commonly used.) You could use a BPF filter to tell one system
to watch only web traffic and another to watch everything else.
- -g group
Changes the default group ID or GID under
which Snort runs after initialization. This is helpful if you want to
run Snort in a special group for security reasons.
- -h home-net
Sets the "home
network" to a specific address in CIDR format. With
this variable set, all decoded packet logging is done relative to the
home network address space. This option is equivalent to setting the
HOME_NET variable in the configuration file.
- -i interface
interface Snort should listen on. This
option is used on machines that have more than one network interface
card or that have different kinds of interfaces, besides Ethernet.
Naming conventions for interfaces vary between operating systems.
In alerts, displays the interface on which each packet arrived.
Useful when monitoring multiple
interfaces; you can see which
interface received the suspicious packet. Also very useful when
multiple Snort sensors are sending their alerts to a central database
(discussed further in Chapter 5).
- -k checksum-mode
packet checksums Snort computes
and verifies. Valid checksum modes include all,
noudp, noicmp, and
none. This can be used to eliminate packets that
fail their checksums - caused either by network faults or IDS evasion
- -l logging-directory
logging directory. All alerts and
packet logs are placed in this directory. The default logging
directory is /var/log/snort, but that default is
only used when Snort is in alert (-A) mode. If you
want to use Snort as a simple packet logger, you must use the
-l option and specify the logging directory
explicitly. Often used when debugging Snort and when logging packets
to a temporary directory so that the new logs do not mingle with
- -L binary-log-file
Sets the filename of the binary logfile. If this switch is not used,
the default name is a timestamp for when the file was created, plus
- -m umask
Sets the file mode creation mask to the
designated umask variable. This is a simple security measure to
prevent others from viewing the logfiles generated during packet
- -n packet-count
Processes the given number of packets and then exits. Useful when you
want to capture a small snapshot
Turns off packet logging. Alerts are still
generated but are printed to the console only. No records are kept on
the system of the generated alerts. This can be useful when testing
Changes the order in which the rules are applied to
packets. Instead of the rules
being applied in the standard Alert
Log order, this option
applies them in Pass
Alert Log order.
Recommended for users running
other web interfaces. This is how the developers of these
applications decided to display captured Snort packets. This option
is also used to ensure that pass rules are
applied before detection rules. See Chapter 9
for the caveats with using this option (and pass
When in ASCII packet dump mode, replaces the IP
addresses printed to the screen or logfile with
"xxx.xxx.xxx.xxx". If the home-net
address switch is set, -h, only addresses on
home-net are obfuscated, while non-home net IPs are left visible. Use
this option when capturing sample alerts or packets that need to be
posted or shared with other non-trusted users. It is perfect for
posting a packet capture to a discussion group or a mailing list.
Turns off promiscuous mode sniffing.
When first working with Snort, the usefulness of this option evaded
me. The answer came to me in the shower—it can be used to
protect only one host. When not in promiscuous mode, an adapter will
only accept packets addressed to itself.
- -P snap-length
Sets the maximum
packet capture length to a certain
size. Some packets may be very large. While most rules look for
characteristics or signatures in the beginning of a packet, setting
the maximum packet length may cause you to miss large malicious
packets, when the offending string is located at the end.
Tells Snort to run quietly. Does not display banner and
initialization information. If you aren't interested
in the initialization messages, you can suppress them with this.
- -r tcpdump-file
Use this option to process a tcpdump-formatted file. The output
appears much like it would when capturing data in real-time. This
option is used to analyze a packet trace that was collected at an
Sends alert messages to a syslog server. This can be either a
local or remote server. Use this option when capturing logs and
alerts within syslog.
- -S variable=value
Sets the variable name variable to the
value value. There are a number of
variables that Snort uses to define what systems are on your local
network (HOME_NET), which are web servers or DNS servers, and which
systems are external to your network. It is advised to keep all
variables in the snort.conf file to limit
- -t chroot
Changes Snort's root directory to
chroot after initialization. Paths for
logfiles and alert files are relative to the new root directory.
Starts Snort in self-test mode. Useful for debugging Snort
before it is run in daemon mode or before it is launched on a
production box. Can be used for testing the correctness of your
- -u user
Changes the default user ID or UID under which Snort
runs after initialization.Like the -g option, an
added security feature for running Snort as a nondescript user.
Forces the timestamp in all logs to be in UTC
(a.k.a. GMT) format. A recommended option when capturing logs from
multiple sources on a single syslog server and if sensors are
scattered across a large WAN; you won't have to deal
with time zone differences.
The verbose option prints all packets to the console. Be
careful when using this option, as it may slow Snort and result in
Displays the Snort version number and then exits. Use
this to determine which version of Snort is installed on your system.
Displays raw packet data starting at the link
layer. With this option you can see the entire packet, including
Ethernet headers and trailers.
Includes the year in all alerts and
logfiles. Useful when you want to create an archive of logged Snort
packets that can be referred to later.
Enables the stream4 preprocessor. Preprocessors manage
incoming packets before passing them off to Snort. They are sometimes
used to reconstruct fragmented packets. This option takes advantage
of stream4's stateful packet inspection
capabilities. It tells Snort to generate alerts only when a packet is
part of an established session, foiling some IDS evasion mechanisms.
Lists all switches
and options and then exits.
This chapter provides examples of nearly all these options. With the
working examples or the options shown here, you should be able to
configure your own Snort process. Experiment with the options to see
how they act on your system.
Further discussion of these command-line options can be found within
the Snort manpages or within the documentation contained on the main
Snort page. Although much is covered here, documentation does change
over time (and new features and options are added from version to
version). Consult the most recent release.