58

Chapter 2     Installing Snort and Getting Started

2.7 Snort Modes

Snort operates in two basic modes: packet sniffer mode and NIDS mode. It can be used

as a packet sniffer, like tcpdump or snoop. When sniffing packets, Snort can also log

these packets to a log file. The file can be viewed later on using Snort or tcpdump. No

intrusion detection activity is done by Snort in this mode of operation.  Using Snort for

this purpose is not very useful as there are many other tools available for packet log 

ging. For example, all Linux distributions come with the tcpdump program which is

very efficient. 

When you use Snort in network intrusion detection (NIDS) mode, it uses its rules

to find out if there is any network intrusion detection activity.

2.7.1

Network Sniffer Mode

In the network sniffer mode, Snort acts like the commonly used program tcpdump.

It can capture and display packets from the network with different levels of detail on the

console. You don't need a configuration file to run Snort in the packet sniffing mode.

The following command displays information about each packet flowing on the net 

work segment:

[root@conformix snort]# /opt/snort/bin/snort  v

Initializing Output Plugins!

Log directory = /var/log/snort

Initializing Network Interface eth0

          == Initializing Snort ==  

Decoding Ethernet on interface eth0

          == Initialization Complete ==  

 *> Snort! <* 

Version 1.9.0 (Build 209)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

11/20 15:56:14.632067 192.168.1.100:2474  > 192.168.1.2:22

TCP TTL:128 TOS:0x0 ID:4206 IpLen:20 DgmLen:40 DF

***A**** Seq: 0x9DAEEE9C  Ack: 0xF5683C3A  Win: 0x43E0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/20 15:56:14.632188 192.168.1.2:22  > 192.168.1.100:2474

TCP TTL:64 TOS:0x10 ID:57042 IpLen:20 DgmLen:200 DF

***AP*** Seq: 0xF5683C8A  Ack: 0x9DAEEE9C  Win: 0x6330  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+