本文主要介绍以下 Snort 命令行参数的使用含义,不完整,等后续使用时再完善。
通过命令行输入:snort --help或者snort -?来显示 snort 命令行运行的详细用法。
Snort版本:
Version 2.9.11.1 GRE (Build 268)
格式:
snort [-options] <filter options>
Options:
-A
设置报警模式
Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b
以tcpdump格式记录Log包,用该格式速度快
Log packets in tcpdump format (much faster!)
-B <mask>
使用CIDR掩码混淆警报和包转储中的IP地址
Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c <rules>
指定snort配置文件所在的路径,如 `snort -c /etc/snort/snort.conf`
Use Rules File <rules>
-C
只打印带有字符数据的有效负载(没有十六进制)
Print out payloads with character data only (no hex)
-d
显示应用层数据
Dump the Application Layer
-D
在后台(守护进程)模式下运行Snort
Run Snort in background (daemon) mode
-e
显示数据链路层头部信息
Display the second layer header info
-f
在二进制日志写之后,不进行fflush()调用
Turn off fflush() calls after binary log writes
-F <bpf>
读取伯克利包过滤器文件
Read BPF filters from file <bpf>
-g <gname>
指定运行snort的组
Run snort gid as <gname> group (or gid) after initialization
-G <0xid>
Log Identifier (to uniquely id events for multiple snorts)
-h <hn>
指定snort.conf里面定义的变量HOME_NET的值。对于-l -B一起使用且运行模式为IDS时,不能更改HONE_NET
Set home network = <hn>
(for use with -l or -B, does NOT change $HOME_NET in IDS mode)
-H
Make hash tables deterministic.
-i <if>
监听<if>指定的网络接口
Listen on interface <if>
-I
将网络接口名添加到警报输出中
Add Interface name to alert output
-k <mode>
检验模式
Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K <mode>
日志模式
Logging mode (pcap[default],ascii,none)
-l <ld>
指定日志存储的目录
Log to directory <ld>
-L <file>
记录日志到指定的文件中
Log to this tcpdump file
-M
将消息记录到syslog,不包含警报消息
Log messages to syslog (not alerts)
-m <umask>
Set umask = <umask>
-n <cnt>
接收到<cnt>指定的包数后退出snort
Exit after receiving <cnt> packets
-N
关闭日志记录(报警仍然会记录)
Turn off logging (alerts still work)
-O
混淆已记录的IP地址
Obfuscate the logged IP addresses
-p
禁用混杂模式嗅探
Disable promiscuous mode sniffing
-P <snap>
设置snort的抓包截断长度,默认为1514
Set explicit snaplen of packet (default: 1514)
-q
退出程序时,屏幕不显示初始化信息和最后的汇总统计信息
Quiet. Don't show banner and status report
-Q
以内联模式运行
Enable inline mode operation.
-r <tf>
读取并处理指定的tcpdump文件(snort的二进制日志文件)
Read and process tcpdump file <tf>
-R <id>
Include 'id' in snort_intf<id>.pid file name
-s
将警报消息记录到syslog
Log alert messages to syslog
-S <n=v>
设置规则文件的变量n的值为v
Set rules file variable n equal to value v
-t <dir>
Chroots process to <dir> after initialization
-T
测试并报告当前Snort的配置是否有问题
Test and report on the current Snort configuration
-u <uname>
初始化后以<uname>用户的身份运行snort
Run snort uid as <uname> user (or uid) after initialization
-U
使用UTC作为时间戳
Use UTC for timestamps
-v
终端显示打印
Be verbose
-V
显示snort版本
Show version number
-X
从链路层开始存储原始数据包数据
Dump the raw packet data starting at the link layer
-x
如果Snort出现配置问题,则退出
Exit if Snort configuration problems occur
-y
在警报和日志文件中包含年份时间戳
Include year in timestamp in the alert and log files
-Z <file>
设置预处理器文件路径和名称
Set the performonitor preprocessor file path and name
-?
显示snort详细用法
Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid>
Same as -G
--perfmon-file <file>
Same as -Z
--pid-path <dir>
Specify the directory for the Snort PID file
--snaplen <snap>
Same as -P
--help
Same as -?
--version
Same as -V
--alert-before-pass
Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
--treat-drop-as-alert
在启动期间将drop、sdrop和reject规则转换为警报规则
Converts drop, sdrop, and reject rules into alert rules during startup
--treat-drop-as-ignore
Use drop, sdrop, and reject rules to ignore session traffic when not inline.
--process-all-events
Process all queued events (drop, alert,...), default stops after 1st action group
--enable-inline-test
Enable Inline-Test Mode Operation
--dynamic-engine-lib <file>
加载指定动态检测引擎
Load a dynamic detection engine
--dynamic-engine-lib-dir <path>
从指定目录中加载所有动态引擎
Load all dynamic engines from directory
--dynamic-detection-lib <file>
加载指定动态规则库
Load a dynamic rules library
--dynamic-detection-lib-dir <path>
从指定目录中加载所有动态规则库
Load all dynamic rules libraries from directory
--dump-dynamic-rules <path>
Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib <file>
加载指定动态预处理器库
Load a dynamic preprocessor library
--dynamic-preprocessor-lib-dir <path>
从指定目录中加载所有动态预处理器库
Load all dynamic preprocessor libraries from directory
--dynamic-output-lib <file>
加载指定动态输出库
Load a dynamic output library
--dynamic-output-lib-dir <path>
从指定目录中加载所有动态输出库
Load all dynamic output libraries from directory
--create-pidfile
Create PID file, even when not in Daemon mode
--nolock-pidfile
Do not try to lock Snort PID file
--no-interface-pidfile
Do not include the interface name in Snort PID file
--disable-attribute-reload-thread
不创建一个线程来重新加载属性表
Do not create a thread to reload the attribute table
--pcap-single <tf>
Same as -r.
--pcap-file <file>
指定要读取的pcaps文件名称
file that contains a list of pcaps to read - read mode is implied.
--pcap-list "<list>"
指定要读取的pcaps文件列表,通过空格分隔
a space separated list of pcaps to read - read mode is implied.
--pcap-dir <dir>
递归查找pcaps的目录,即指定目录,该目录下的pcaps文件都将被读取
a directory to recurse to look for pcaps - read mode is implied.
--pcap-filter <filter>
filter to apply when getting pcaps from file or directory.
--pcap-no-filter
reset to use no filter when getting pcaps from file or directory.
--pcap-loop <count>
this option will read the pcaps specified on command line continuously.
for <count> times. A value of 0 will read until Snort is terminated.
--pcap-reset
if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
--pcap-reload
if reading multiple pcaps, reload snort config between pcaps.
--pcap-show
print a line saying what pcap is currently being read.
--exit-check <count>
Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
takes from signaling until DAQ_Stop() is called.
--conf-error-out
Same as -x
--enable-mpls-multicast
Allow multicast MPLS
--enable-mpls-overlapping-ip
Handle overlapping IPs within MPLS clouds
--max-mpls-labelchain-len
Specify the max MPLS label chain
--mpls-payload-type
Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
--require-rule-sid
Require that all snort rules have SID specified.
--daq <type>
选择数据包采集模块(默认为pcap)
Select packet acquisition module (default is pcap).
--daq-mode <mode>
选择数据采集(DAQ)操作模式
Select the DAQ operating mode.
--daq-var <name=value>
指定额外的DAQ变量
Specify extra DAQ configuration variable.
--daq-dir <dir>
指定DAQ库文件路径
Tell snort where to find desired DAQ.
--daq-list[=<dir>]
列出可用的数据包采集模块。默认是静态模块。
List packet acquisition modules available in dir. Default is static modules only.
--dirty-pig
关机时不要刷新数据包并释放内存
Don't flush packets and release memory on shutdown.
--cs-dir <dir>
Directory to use for control socket.
--ha-peer
Activate live high-availability state sharing with peer.
--ha-out <file>
将高可用性事件写入此文件
Write high-availability events to this file.
--ha-in <file>
在启动(warm-start)时从该文件中读取高可用性事件
Read high-availability events from this file on startup (warm-start).
--suppress-config-log
Suppress configuration information output.
扫一扫
1684
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
