Ultimate Snort Cheat Sheet

Ultimate Snort Cheat Sheet

The industry standard for Network Intrusion Detection & Prevention (NIDS/IPS).

Jump To Section

• Operation Modes
• Running Snort
• Rule Syntax
• Rule Options
• Filtering & Logging
• Testing Rules

1. Operation Modes

Snort can run in three distinct modes: Sniffer, Packet Logger, and NIDS.

Sniffer Mode

Read packets off the wire and display them.

snort -v

snort -vd

-v: Verbose (Headers), -d: Data (Payload).

Logger Mode

Log packets to disk.

snort -dev -l ./log

-l: Specify log directory.

NIDS Mode

Analyze traffic against a rule set.

snort -c /etc/snort/snort.conf

-c: Configuration file.

2. Running Snort (NIDS)

Common commands for running Snort as a daemon or console app.

Console Output (Debug)

Print alerts directly to the screen (good for testing).

snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Daemon Mode (Production)

Run in background (`-D`).

snort -D -c /etc/snort/snort.conf -l /var/log/snort/

Key Flags

Flag	Description
-A console	Print alerts to terminal
-q	Quiet mode (no banner/stats)
-c [file]	Path to configuration
-i [iface]	Interface to listen on (eth0)
-T	Test configuration mode (Dry Run)

3. Rule Syntax

The core of Snort. Rules live in local.rules.

Structure

action proto src_ip src_port -> dest_ip dest_port (options)

Example Rule

alert tcp any any -> 192.168.1.0/24 80 (msg:"Possible SQL Injection"; content:"UNION SELECT"; sid:1000001; rev:1;)

Component	Description
Action	alert, log, pass, drop, reject
Proto	tcp, udp, icmp, ip
Direction	-> (One way), <> (Bidirectional)
Variables	$HOME_NET, $EXTERNAL_NET, $HTTP_PORTS

4. Rule Options (Payload Detection)

The logic inside the parenthesis (...).

Meta Data

• msg:"Text": The alert message displayed.
• sid:1000001: Snort ID (Must be > 1,000,000 for local rules).
• rev:1: Revision number.
• classtype:trojan-activity: Categorizes the alert.

Payload Content

• content:"|90 90 90|": Match binary (hex) content (NOP Sled).
• content:"/bin/sh": Match string.
• nocase: Case insensitive match.
• depth:5: Search only first 5 bytes.
• offset:10: Start searching after byte 10.

PCRE (Regex)

Advanced matching using Perl Compatible Regular Expressions.

pcre:"/GET \/index\.php\?id=[0-9]{10}/"

5. Filtering & Logging

BPF Filters (Berkeley Packet Filter)

Ignore noise by adding BPF filters at the end of the command (like tcpdump).

snort -c snort.conf not port 22

Log Formats

• Unified2: Binary format (standard). Requires Barnyard2 to read/export.
• Pcap: Standard packet capture (readable by Wireshark).
• CSV: Comma separated text (deprecated but simple).

Read PCAP with Snort

Replay a saved pcap file through Snort to test if it triggers alerts.

snort -r capture.pcap -c /etc/snort/snort.conf

6. Testing Your Config

Always run a configuration check after editing rules.

snort -T -c /etc/snort/snort.conf

Success Message:

Look for "Snort successfully validated the configuration!" at the end of the output.

⇧