Snort Modes 65 20:01:55.749466 192.168.1.1.1901 239.255.255.250.1900: udp 325 20:01:55.751968 192.168.1.1.1901 239.255.255.250.1900: udp 253 20:01:55.754145 192.168.1.1.1901 239.255.255.250.1900: udp 245 20:01:55.756781 192.168.1.1.1901 239.255.255.250.1900: udp 289 20:01:55.759258 192.168.1.1.1901 239.255.255.250.1900: udp 265 20:01:55.761763 192.168.1.1.1901 239.255.255.250.1900: udp 319 20:01:55.764365 192.168.1.1.1901 239.255.255.250.1900: udp 317 20:01:55.767103 192.168.1.1.1901 239.255.255.250.1900: udp 321 20:01:55.769557 192.168.1.1.1901 239.255.255.250.1900: udp 313 20:01:56.336697 192.168.1.100.2474 192.168.1.2.ssh: P 0:8080 ack 465 win 16496 DF [rootconformix snort] You can use different command line options with tcpdump to manipulate the dis- play of data. For more information about tcpdump, use the “ man tcpdump” com- mand or see Appendix A.

2.7.2 Network Intrusion Detection Mode

In intrusion detection mode, Snort does not log each captured packet as it does in the network sniffer mode. Instead, it applies rules on all captured packets. If a packet matches a rule, only then is it logged or an alert is generated. If a packet does not match any rule, the packet is dropped silently and no log entry is created. When you use Snort in intrusion detection mode, typically you provide a configuration file on the command line. This configuration file contains Snort rules or reference to other files that contain Snort rules. In addition to rules, the configuration file also contains information about input and output plug-ins, which are discussed in Chapter 4. The typical name of the Snort configuration file is snort.conf. We have previously saved snort.conf configuration file in optsnortetc directory along with other files. This was done during the installation procedure. 5 The following command starts Snort in the Net- work Intrusion Detection NID mode: snort -c optsnortetcsnort.conf When you start this command, Snort will read the configuration file opt snortetcsnort.conf and all other files included in this file. Typically these files contain Snort rules and configuration data. After reading these files, Snort will build its internal data structures and rule chains. All captured packets will then be matched against these rules and appropriate action will be taken, if configured to do so. 5. If you used the RPM package to install Snort, the typical location of the Snort configuration file is etcsnortsnort.conf.