USAGE: /usr/local/snort/bin/snort [-options]
Options:
-A Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b Log packets in tcpdump format (much faster!)
-B Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c Use Rules File
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
-F Read BPF filters from file
-g Run snort gid as group (or gid) after initialization
-G <0xid> Log Identifier (to uniquely id events for multiple snorts)
-h Home network =
-H Make hash tables deterministic.
-i Listen on interface
-I Add Interface name to alert output
-k Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K Logging mode (pcap[default],ascii,none)
-l Log to directory
-L Log to this tcpdump file
-M Log messages to syslog (not alerts)
-m Set umask =
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-o Change the rule testing order to Pass|Alert|Log
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r Read and process tcpdump file
-R Include 'id' in snort_intf.pid file name
-s Log alert messages to syslog
-S Set rules file variable n equal to value v
-t Chroots process to after initialization
-T Test and report on the current Snort configuration
-u Run snort uid as user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-w Dump 802.11 management and control frames
-X Dump the raw packet data starting at the link layer
-y Include year in timestamp in the alert and log files
-Z Set the performonitor preprocessor file path and name
-? Show this information
are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid> Same as -G
--perfmon-file Same as -Z
--pid-path Specify the directory for the Snort PID file
--snaplen Same as -P
--help Same as -?
--version Same as -V
--alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup
--process-all-events Process all queued events (drop, alert,...), default stops after 1st action group
--dynamic-engine-lib Load a dynamic detection engine
--dynamic-engine-lib-dir Load all dynamic engines from directory
--dynamic-detection-lib Load a dynamic rules library
--dynamic-detection-lib-dir Load all dynamic rules libraries from directory
--dump-dynamic-rules Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib Load a dynamic preprocessor library
--dynamic-preprocessor-lib-dir Load all dynamic preprocessor libraries from directory
--dump-dynamic-preproc-genmsg Creates gen-msg.map files of all loaded preprocessor libraries
--create-pidfile Create PID file, even when not in Daemon mode
--nolock-pidfile Do not try to lock Snort PID file
--disable-inline-initialization Do not perform the IPTables initialization in inline mode.
--pcap-single Same as -r.
--pcap-file file that contains a list of pcaps to read - read mode is implied.
--pcap-list "" a space separated list of pcaps to read - read mode is implied.
--pcap-dir a directory to recurse to look for pcaps - read mode is implied.
--pcap-filter filter to apply when getting pcaps from file or directory.
--pcap-no-filter reset to use no filter when getting pcaps from file or directory.
--pcap-loop this option will read the pcaps specified on command line continuously.
for times. A value of 0 will read until Snort is terminated.
--pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
--pcap-show print a line saying what pcap is currently being read.
--exit-check Signal termination after callbacks from pcap_dispatch(), showing the time it
takes from signaling until pcap_close() is called.
阅读(1213) | 评论(0) | 转发(0) |