Before we go into Snort's basic operational modes, let's first look at a breakdown of the command-line options. This chapter covers each item listed here, but some are not frequently used or may only be used in conjunction with other variables. Some of the options can be specified in the config file instead of at the command line. If you are just trying something out, specify the setting at the command line. If you are planning on keeping the setting for a while, set it in the config file.
- -A alert-mode
-
Generates an alert using one of the specified alert-modes: fast, full, none, and unsock. Rather than specifying the alert mode within a configuration file, you can include it here at the command line.
- -b
-
Logs packets in tcpdump format (i.e., libpcap). Files in tcpdump format are smaller, so this is the best method of recording large amounts of logged data and packets. It is very fast and may be a good option on high-traffic networks.
- -B address-conversion-mask
-
Scrambles the networks specified in the -h (or HOME_NET) setting. This helps hide the real internal network addresses inside binary logs.
- -c config-file
-
Allows you to specify which configuration file you want to use. If you have different configurations with various rules enabled, you can specify which configuration to use at the command line. This option is required when Snort is run in NIDS mode.
- -C
-
Prints the character data found in the packet payload, rather than displaying it in hexadecimal format. Reading this information is easier than wrestling with Hex output.
- -d
-
Displays the application layer data when in verbose or packet logging mode.
- -D
-
Runs Snort in daemon mode. Alerts are dumped to the alert file in the logging directory (/var/log/snort by default). Daemon mode is useful if you wish to automate the startup of Snort in the event of a reboot. Passing this option to Snort in a command script starts Snort in the background. No error messages are printed to the console in this mode. Do not use this mode unless you are already familiar with Snort and have a working, viable configuration. (Use the -T option, discussed below, to test your configuration before using daemon mode.)
- -e
-
Displays or logs the link layer packet headers. This is the more verbose method of viewing captured packets when running Snort in sniffing mode.
- -F bpf-file
-
Reads Berkeley Packet Filters (BPF) from a bpf file. These filters are useful when running Snort as a SHADOW replacement or when performing an analysis via a command-line filter. This filter is commonly used to tune out noise or random alerts. (It is not commonly used.) You could use a BPF filter to tell one system to watch only web traffic and another to watch everything else.
- -g group
-
Changes the default group ID or GID under which Snort runs after initialization. This is helpful if you want to run Snort in a special group for security reasons.
- -h home-net
-
Sets the "home network" to a specific address in CIDR format. With this variable set, all decoded packet logging is done relative to the home network address space. This option is equivalent to setting the HOME_NET variable in the configuration file.
- -i interface
-
Specifies which interface Snort should listen on. This option is used on machines that have more than one network interface card or that have different kinds of interfaces, besides Ethernet. Naming conventions for interfaces vary between operating systems.
- -I
-
In alerts, displays the interface on which each packet arrived. Useful when monitoring multiple interfaces; you can see which interface received the suspicious packet. Also very useful when multiple Snort sensors are sending their alerts to a central database (discussed further in Chapter 5).
- -k checksum-mode
-
Controls which packet checksums Snort computes and verifies. Valid checksum modes include all, noip, notcp, noudp, noicmp, and none. This can be used to eliminate packets that fail their checksums - caused either by network faults or IDS evasion attempts
- -l logging-directory
-
Specifies the logging directory. All alerts and packet logs are placed in this directory. The default logging directory is /var/log/snort, but that default is only used when Snort is in alert (-A) mode. If you want to use Snort as a simple packet logger, you must use the -l option and specify the logging directory explicitly. Often used when debugging Snort and when logging packets to a temporary directory so that the new logs do not mingle with production logs.
- -L binary-log-file
-
Sets the filename of the binary logfile. If this switch is not used, the default name is a timestamp for when the file was created, plus snort.log.
- -m umask
-
Sets the file mode creation mask to the designated umask variable. This is a simple security measure to prevent others from viewing the logfiles generated during packet capture.
- -n packet-count
-
Processes the given number of packets and then exits. Useful when you want to capture a small snapshot network traffic.
- -N
-
Turns off packet logging. Alerts are still generated but are printed to the console only. No records are kept on the system of the generated alerts. This can be useful when testing your configurations.
- -o
-
Changes the order in which the rules are applied to packets. Instead of the rules being applied in the standard Alert 
Pass Log order, this option applies them in Pass Alert Log order. Recommended for users running SnortCenter and other web interfaces. This is how the developers of these applications decided to display captured Snort packets. This option is also used to ensure that pass rules are applied before detection rules. See Chapter 9 for the caveats with using this option (and pass rules).
- -O
-
When in ASCII packet dump mode, replaces the IP addresses printed to the screen or logfile with "xxx.xxx.xxx.xxx". If the home-net address switch is set, -h, only addresses on home-net are obfuscated, while non-home net IPs are left visible. Use this option when capturing sample alerts or packets that need to be posted or shared with other non-trusted users. It is perfect for posting a packet capture to a discussion group or a mailing list.
- -p
-
Turns off promiscuous mode sniffing. When first working with Snort, the usefulness of this option evaded me. The answer came to me in the shower it can be used to protect only one host. When not in promiscuous mode, an adapter will only accept packets addressed to itself.
- -P snap-length
-
Sets the maximum packet capture length to a certain size. Some packets may be very large. While most rules look for characteristics or signatures in the beginning of a packet, setting the maximum packet length may cause you to miss large malicious packets, when the offending string is located at the end.
- -q
-
Tells Snort to run quietly. Does not display banner and initialization information. If you aren't interested in the initialization messages, you can suppress them with this.
- -r tcpdump-file
-
Use this option to process a tcpdump-formatted file. The output appears much like it would when capturing data in real-time. This option is used to analyze a packet trace that was collected at an earlier time.
- -s
-
Sends alert messages to a syslog server. This can be either a local or remote server. Use this option when capturing logs and alerts within syslog.
- -S variable=value
-
Sets the variable name variable to the value value. There are a number of variables that Snort uses to define what systems are on your local network (HOME_NET), which are web servers or DNS servers, and which systems are external to your network. It is advised to keep all variables in the snort.conf file to limit confusion.
- -t chroot
-
Changes Snort's root directory to chroot after initialization. Paths for logfiles and alert files are relative to the new root directory.
- -T
-
Starts Snort in self-test mode. Useful for debugging Snort before it is run in daemon mode or before it is launched on a production box. Can be used for testing the correctness of your configuration files.
- -u user
-
Changes the default user ID or UID under which Snort runs after initialization.Like the -g option, an added security feature for running Snort as a nondescript user.
- -U
-
Forces the timestamp in all logs to be in UTC (a.k.a. GMT) format. A recommended option when capturing logs from multiple sources on a single syslog server and if sensors are scattered across a large WAN; you won't have to deal with time zone differences.
- -v
-
The verbose option prints all packets to the console. Be careful when using this option, as it may slow Snort and result in dropped packets.
- -V
-
Displays the Snort version number and then exits. Use this to determine which version of Snort is installed on your system.
- -X
-
Displays raw packet data starting at the link layer. With this option you can see the entire packet, including Ethernet headers and trailers.
- -y
-
Includes the year in all alerts and logfiles. Useful when you want to create an archive of logged Snort packets that can be referred to later.
- -z
-
Enables the stream4 preprocessor. Preprocessors manage incoming packets before passing them off to Snort. They are sometimes used to reconstruct fragmented packets. This option takes advantage of stream4's stateful packet inspection capabilities. It tells Snort to generate alerts only when a packet is part of an established session, foiling some IDS evasion mechanisms.
- -?
-
Lists all switches and options and then exits.
This chapter provides examples of nearly all these options. With the working examples or the options shown here, you should be able to configure your own Snort process. Experiment with the options to see how they act on your system.
Further discussion of these command-line options can be found within the Snort manpages or within the documentation contained on the main Snort page. Although much is covered here, documentation does change over time (and new features and options are added from version to version). Consult the most recent release.
