Snort Read Network Trace Data Command Line Filter Expression
Provided by: snort_2.ix.7.0-5build1_amd64 
NAME
Snort - open up source network intrusion detection system
SYNOPSIS
snort [-bCdDeEfHIMNOpqQsTUvVwWxXy?] [-A alert-mode ] [-B address-conversion-mask ] [-c rules-file ] [-F bpf-file ] [-g group-name ] [-K id ] [-h home-net ] [-i interface ] [-k checksum-manner ] [-One thousand logging-fashion ] [-fifty log-dir ] [-L bin-log-file ] [-thousand umask ] [-n packet-count ] [-P snap-length ] [-r tcpdump-file ] [-R proper noun ] [-South variable=value ] [-t chroot_directory ] [-u user-proper name ] [-Z pathname ] [--logid id ] [--perfmon-file pathname ] [--pid-path pathname ] [--snaplen snap-length ] [--help ] [--version ] [--dynamic-engine- lib file ] [--dynamic-engine-lib-dir directory ] [--dynamic-detection-lib file ] [--dynamic-detection-lib-dir directory ] [--dump-dynamic-rules directory ] [--dynamic- preprocessor-lib file ] [--dynamic-preprocessor-lib-dir directory ] [--dynamic-output-lib file ] [--dynamic-output-lib-dir directory ] [--alarm-before-pass ] [--treat-drop-equally-alert ] [--treat-drop-every bit-ignore ] [--procedure-all-events ] [--enable-inline-test ] [--create- pidfile ] [--nolock-pidfile ] [--no-interface-pidfile ] [--disable-attribute-reload-thread ] [--pcap-single= tcpdump-file ] [--pcap-filter= filter ] [--pcap-listing= list ] [--pcap- dir= directory ] [--pcap-file= file ] [--pcap-no-filter ] [--pcap-reset ] [--pcap-reload ] [--pcap-show ] [--exit-check count ] [--conf-error-out ] [--enable-mpls-multicast ] [--enable-mpls-overlapping-ip ] [--max-mpls-labelchain-len ] [--mpls-payload-type ] [--require-rule-sid ] [--daq type ] [--daq-mode way ] [--daq-var name=value ] [--daq-dir dir ] [--daq-list [dir] ] [--dirty-hog ] [--cs-dir dir ] [--ha-peer ] [--ha-out file ] [--ha-in file ] expression
Clarification
Snort is an open source network intrusion detection system, capable of performing real- time traffic analysis and parcel logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to find a multifariousness of attacks and probes, such every bit buffer overflows, stealth port scans, CGI attacks, SMB probes, Os fingerprinting attempts, and much more. Snort uses a flexible rules linguistic communication to describe traffic that information technology should collect or pass, equally well equally a detection engine that utilizes a modular plugin compages. Snort likewise has a modular real-time alerting capability, incorporating alerting and logging plugins for syslog, a ASCII text files, UNIX sockets or XML. Snort has three master uses. Information technology can be used as a direct packet sniffer similar tcpdump(i), a packet logger (useful for network traffic debugging, etc), or equally a total diddled network intrusion detection system. Snort logs packets in tcpdump(i) binary format or in Snort's decoded ASCII format to a hierarchy of logging directories that are named based on the IP address of the "foreign" host.
OPTIONS
-A alarm-way Alert using the specified alert-mode. Valid alert modes include fast, full, none, and unsock. Fast writes alerts to the default "warning" file in a single-line, syslog style alert message. Full writes the alert to the "alert" file with the total decoded header too equally the alert message. None turns off alerting. Unsock is an experimental mode that sends the alarm information out over a UNIX socket to another procedure that attaches to that socket. -b Log packets in a tcpdump(1) formatted file. All packets are logged in their native binary state to a tcpdump formatted log file named with the snort start timestamp and "snort.log". This pick results in much faster functioning of the program since it doesn't accept to spend time in the packet binary->text converters. Snort tin can keep up pretty well with 100Mbps networks in '-b' fashion. To choose an alternate name for the binary log file, use the '-50' switch. -B address-conversion-mask Convert all IP addresses in home-net to addresses specified past accost-conversion- mask. Used to obfuscate IP addresses inside binary logs. Specify home-cyberspace with the '-h' switch. Notation this is not the aforementioned as $HOME_NET. -c config-file Utilise the rules located in file config-file. -C Print the graphic symbol data from the packet payload only (no hex). -d Dump the application layer information when displaying packets in verbose or packet logging fashion. -D Run Snort in daemon mode. Alerts are sent to /var/log/snort/warning unless otherwise specified. -e Display/log the link layer package headers. -Due east *WIN32 ONLY* Log alerts to the Windows Upshot Log. -f Activate PCAP line buffering -F bpf-file Read BPF filters from bpf-file. This is handy for people running Snort as a SHADOW replacement or with a dear Of super circuitous BPF filters. See the "expressions" section of this human page for more info on writing BPF filters. -grand group Modify the group/GID Snort runs nether to grouping after initialization. This switch allows Snort to drib root privileges after it's initialization phase has completed as a security mensurate. -Chiliad id Utilize id equally a base result ID when logging events. -h abode-net Set the "domicile network" to home-cyberspace. The format of this address variable is a network prefix plus a CIDR block, such as 192.168.1.0/24. Once this variable is fix, all decoded bundle logging will be done relative to the home network accost space. This is useful because of the way that Snort formats its ASCII log data. With this value fix to the local network, all decoded output will be logged into decode directories with the address of the strange computer as the directory name, which is very useful during traffic analysis. This selection does not change "$HOME_NET" in IDS mode. -H Forcefulness hash tables to exist deterministic instead of using a random number generator for the seed & scale. Useful for testing and generating repeatable results with the aforementioned traffic. -i interface Sniff packets on interface. -I Print out the receiving interface name in alerts. -k checksum-mode Tune the internal checksum verification functionality with alert-mode. Valid checksum modes include all, noip, notcp, noudp, noicmp, and none. All activates checksum verification for all supported protocols. Noip turns off IP checksum verification, which is handy if the gateway router is already dropping packets that fail their IP checksum checks. Notcp turns off TCP checksum verification, all other checksum modes are on. noudp turns off UDP checksum verification. Noicmp turns off ICMP checksum verification. None turns off the entire checksum verification subsystem. -K logging-mode Select a packet logging mode. The default is pcap. logging-fashion. Valid logging modes include pcap, ascii, and none. Pcap logs packets through the pcap library into pcap (tcpdump) format. Ascii logs packets in the old "directories and files" format with packet printouts in each file. None Turns off parcel logging. -l log-dir Fix the output logging directory to log-dir. All plain text alerts and packet logs get into this directory. If this option is non specified, the default logging directory is set to /var/log/snort. -L binary-log-file Set the filename of the binary log file to binary-log-file. If this switch is not used, the default name is a timestamp for the time that the file is created plus "snort.log". -chiliad umask Set up the file style creation mask to umask -Chiliad Log panel letters to syslog when not running daemon mode. This switch has no impact on logging of alerts. -n packet-count Process packet-count packets and exit. -N Plough off packet logging. The program notwithstanding generates alerts ordinarily. -O Obfuscate the IP addresses when in ASCII bundle dump fashion. This switch changes the IP addresses that get printed to the screen/log file to "xxx.xxx.xxx.thirty". If the homenet accost switch is set (-h), only addresses on the homenet volition exist obfuscated while non- homenet IPs volition be left visible. Perfect for posting to your favorite security mailing list! -p Turn off promiscuous style sniffing. -P snap-length Prepare the bundle snaplen to snap-length. By default, this is prepare to 1514. -q Tranquility operation. Don't display banner and initialization data. -Q Enable inline fashion operation. -r tcpdump-file Read the tcpdump-formatted file tcpdump-file. This will cause Snort to read and procedure the file fed to it. This is useful if, for case, you've got a bunch of SHADOW files that you want to process for content, or even if you've got a bunch of reassembled packet fragments which have been written into a tcpdump formatted file. -R name Use name equally a suffix to the snort pidfile. -s Send alert messages to syslog. On linux boxen, they volition appear in /var/log/secure, /var/log/letters on many other platforms. -Due south variable=value Set variable proper noun "variable" to value "value". This is useful for setting the value of a defined variable name in a Snort rules file to a command line specified value. For instance, if yous ascertain a HOME_NET variable name inside of a Snort rules file, you can set this value from it's predefined value at the control line. -t chroot Changes Snort'south root directory to chroot after initialization. Please note that all log/alert filenames are relative to the chroot directory if chroot is used. -T Snort volition start upwards in self-test fashion, checking all the supplied command line switches and rules files that are handed to it and indicating that everything is prepare to go on. This is a good switch to use if daemon mode is going to be used, it verifies that the Snort configuration that is well-nigh to be used is valid and won't fail at run fourth dimension. Notation, Snort looks for either /etc/snort.conf or ./snort.conf. If your config lives elsewhere, use the -c option to specify a valid config-file. -u user Change the user/UID Snort runs under to user later initialization. -U Changes the timestamp in all logs to be in UTC -v Be verbose. Prints packets out to the console. In that location is 1 large problem with verbose mode: information technology's slow. If you are doing IDS work with Snort, don't use the '-v' switch, you WILL drop packets. -5 Show the version number and exit. -west Testify direction frames if running on an 802.11 (wireless) network. -W *WIN32 ONLY* Enumerate the network interfaces bachelor. -x Exit if Snort configuration bug occur such every bit duplicate gid/sid or flowbits without Stream5. -Ten Dump the raw bundle information starting at the link layer. This switch overrides the '-d' switch. -y Include the yr in alert and log files -Z pathname Gear up the perfmonitor preprocessor path/filename to pathname. -? Show the program usage statement and leave. --logid id Same as -Grand. --perfmon-file pathname Same every bit -Z. --pid-path directory Specify the directory for the Snort PID file. --snaplen snap-length Same as -P. --help Same equally -? --version Same equally -Five --dynamic-engine-lib file Load a dynamic detection engine shared library specified by file. --dynamic-engine-lib-dir directory Load all dynamic detection engine shared libraries specified from directory. --dynamic-detection-lib file Load a dynamic detection rules shared library specified past file. --dynamic-detection-lib-dir directory Load all dynamic detection rules shared libraries specified from directory. --dump-dynamic-rules directory Create stub dominion files from all loaded dynamic detection rules libraries. Files will be created in directory. This is required to be done prior to running snort using those detection rules and the generated rules files must be included in snort.conf. --dynamic-preprocessor-lib file Load a dynamic preprocessor shared library specified by file. --dynamic-preprocessor-lib-dir directory Load all dynamic preprocessor shared libraries specified from directory. --alarm-earlier-laissez passer Process alert, drop, sdrop, or reject before pass. Default is pass before alert, drop, etc. --treat-drop-equally-alert Converts driblet, sdrop, and decline rules into alert rules during startup. --care for-drib-as-ignore Use drib, sdrop, and reject rules to ignore session traffic when not inline. --process-all-events Procedure all triggered events in grouping gild, per Rule Ordering configuration. Default stops afterward first group. --enable-inline-test Enable Inline-Test Mode Performance. --pid-path directory Specify the path for Snort'south PID file. --create-pidfile Create PID file, even when non in Daemon manner. --nolock-pidfile Do not try to lock Snort PID file. --no-interface-pidfile Do non include the interface name in Snort PID file --pcap-unmarried=tcpdump-file Same as -r. Added for abyss. --pcap-filter=filter Shell style filter to apply when getting pcaps from file or directory. This filter will apply to whatsoever --pcap-file or --pcap-dir arguments following. Utilise --pcap-no- filter to delete filter for following --pcap-file or --pcap-dir arguments or specify --pcap-filter over again to forget previous filter and to apply to following --pcap-file or --pcap-dir arguments. --pcap-list="listing" A space separated listing of pcaps to read. --pcap-dir=directory A directory to recurse to look for pcaps. Sorted in ascii order. --pcap-file=file File that contains a list of pcaps to read. Can specify path to pcap or directory to recurse to get pcaps. --pcap-no-filter Reset to utilize no filter when getting pcaps from file or directory. --pcap-reset If reading multiple pcaps, reset snort to post-configuration state before reading next pcap. The default, i.due east. without this pick, is not to reset state. --pcap-bear witness Print a line saying what pcap is currently existence read. --go out-check=count Bespeak termination after <count> callbacks from DAQ_Acquire(), showing the fourth dimension it takes from signaling until DAQ_Stop() is called. --conf-fault-out Same as -x. --require-rule-sid Crave an SID for every rule to be correctly threshold all rules. --daq <type> Select packet acquisition module (default is pcap). --daq-mode <mode> Select the DAQ operating manner. --daq-var <name=value> Specify extra DAQ configuration variable. --daq-dir <dir> Tell Snort where to discover desired DAQ. --daq-list [<dir>] Listing parcel acquisition modules available in dir. --cs-dir <dir> Tell Snort to employ control socket and create the socket in dir. expression selects which packets will be dumped. If no expression is given, all packets on the net volition exist dumped. Otherwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives unremarkably consist of an id (name or number) preceded past 1 or more than qualifiers. At that place are three dissimilar kinds of qualifier: type qualifiers say what kind of thing the id name or number refers to. Possible types are host, internet and port. E.g., `host foo', `net 128.3', `port 20'. If in that location is no type qualifier, host is causeless. dir qualifiers specify a item transfer direction to and/or from id. Possible directions are src, dst, src or dst and src and dst. Eastward.g., `src foo', `dst net 128.3', `src or dst port ftp-information'. If at that place is no dir qualifier, src or dst is assumed. For `null' link layers (i.e. point to point protocols such equally skid) the inbound and outbound qualifiers can be used to specify a desired management. proto qualifiers restrict the match to a detail protocol. Possible protos are: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp. East.g., `ether src foo', `arp cyberspace 128.iii', `tcp port 21'. If in that location is no proto qualifier, all protocols consequent with the type are causeless. Due east.g., `src foo' ways `(ip or arp or rarp) src foo' (except the latter is not legal syntax), `net bar' means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. [`fddi' is actually an allonym for `ether'; the parser treats them identically as meaning ``the data link level used on the specified network interface.'' FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like package types, then yous can filter on these FDDI fields just as with the analogous Ethernet fields. FDDI headers also contain other fields, but you lot cannot name them explicitly in a filter expression.] In addition to the above, there are some special `archaic' keywords that don't follow the pattern: gateway, broadcast, less, greater and arithmetics expressions. All of these are described below. More complex filter expressions are built up by using the words and, or and not to combine primitives. E.g., `host foo and not port ftp and not port ftp-information'. To relieve typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-information or domain' is exactly the aforementioned as `tcp dst port ftp or tcp dst port ftp- data or tcp dst port domain'. Commanded primitives are: dst host host Truthful if the IP destination field of the package is host, which may be either an address or a name. src host host Truthful if the IP source field of the packet is host. host host True if either the IP source or destination of the packet is host. Whatsoever of the in a higher place host expressions tin exist prepended with the keywords, ip, arp, or rarp as in: ip host host which is equivalent to: ether proto \ip and host host If host is a name with multiple IP addresses, each address will be checked for a match. ether dst ehost True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers or a number (see ethers(3N) for numeric format). ether src ehost True if the ethernet source address is ehost. ether host ehost True if either the ethernet source or destination address is ehost. gateway host True if the packet used host as a gateway. I.e., the ethernet source or destination address was host only neither the IP source nor the IP destination was host. Host must be a proper noun and must be plant in both /etc/hosts and /etc/ethers. (An equivalent expression is ether host ehost and not host host which tin can exist used with either names or numbers for host / ehost.) dst net net True if the IP destination address of the packet has a network number of net. Internet may be either a name from /etc/networks or a network number (see networks(iv) for details). src net net True if the IP source address of the bundle has a network number of net. net net True if either the IP source or destination address of the packet has a network number of cyberspace. net net mask mask True if the IP address matches cyberspace with the specific netmask. May exist qualified with src or dst. net net/len True if the IP accost matches net a netmask len bits broad. May be qualified with src or dst. dst port port True if the packet is ip/tcp or ip/udp and has a destination port value of port. The port can be a number or a name used in /etc/services (see tcp(4P) and udp(4P)). If a proper noun is used, both the port number and protocol are checked. If a number or cryptic proper name is used, only the port number is checked (e.grand., dst port 513 will print both tcp/login traffic and udp/who traffic, and port domain will print both tcp/domain and udp/domain traffic). src port port True if the packet has a source port value of port. port port True if either the source or destination port of the packet is port. Whatsoever of the to a higher place port expressions can be prepended with the keywords, tcp or udp, as in: tcp src port port which matches only tcp packets whose source port is port. less length True if the package has a length less than or equal to length. This is equivalent to: len <= length . greater length Truthful if the bundle has a length greater than or equal to length. This is equivalent to: len >= length . ip proto protocol True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can exist a number or one of the names icmp, igrp, udp, nd, or tcp. Note that the identifiers tcp, udp, and icmp are besides keywords and must be escaped via backslash (\), which is \\ in the C-shell. ether broadcast True if the package is an ethernet circulate packet. The ether keyword is optional. ip broadcast Truthful if the packet is an IP broadcast package. Information technology checks for both the all- zeroes and all-ones circulate conventions, and looks up the local subnet mask. ether multicast Truthful if the packet is an ethernet multicast package. The ether keyword is optional. This is autograph for `ether[0] & ane != 0'. ip multicast True if the packet is an IP multicast packet. ether proto protocol True if the packet is of ether type protocol. Protocol can exist a number or a proper noun like ip, arp, or rarp. Annotation these identifiers are also keywords and must be escaped via backslash (\). [In the case of FDDI (e.g., `fddi protocol arp'), the protocol identification comes from the 802.two Logical Link Control (LLC) header, which is commonly layered on superlative of the FDDI header. Tcpdump assumes, when filtering on the protocol identifier, that all FDDI packets include an LLC header, and that the LLC header is in and so- called SNAP format.] decnet src host True if the DECNET source accost is host, which may be an address of the form ``10.123'', or a DECNET host proper noun. [DECNET host proper name back up is only bachelor on Ultrix systems that are configured to run DECNET.] decnet dst host True if the DECNET destination address is host. decnet host host True if either the DECNET source or destination address is host. ip, arp, rarp, decnet Abbreviations for: ether proto p where p is 1 of the above protocols. lat, moprc, mopdl Abbreviations for: ether proto p where p is i of the above protocols. Notation that Snort does not currently know how to parse these protocols. tcp, udp, icmp Abbreviations for: ip proto p where p is one of the above protocols. expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To access data inside the bundle, use the following syntax: proto [ expr : size ] Proto is 1 of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates the protocol layer for the alphabetize functioning. The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; information technology can be either i, two, or 4, and defaults to one. The length operator, indicated past the keyword len, gives the length of the packet. For example, `ether[0] & 1 != 0' catches all multicast traffic. The expression `ip[0] & 0xf != 5' catches all IP packets with options. The expression `ip[half-dozen:2] & 0x1fff = 0' catches simply unfragmented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the tcp and udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment. Primitives may be combined using: A parenthesized group of primitives and operators (parentheses are special to the Shell and must be escaped). Negation (`!' or `not'). Chain (`&&' or `and'). Alternation (`||' or `or'). Negation has highest precedence. Alternation and concatenation accept equal precedence and associate left to correct. Note that explicit and tokens, not juxtaposition, are now required for chain. If an identifier is given without a keyword, the most recent keyword is assumed. For instance, non host vs and ace is curt for non host vs and host ace which should not exist confused with not ( host vs or ace ) Expression arguments can be passed to Snort equally either a single argument or every bit multiple arguments, whichever is more user-friendly. Mostly, if the expression contains Shell metacharacters, it is easier to pass it as a single, quoted statement. Multiple arguments are concatenated with spaces before beingness parsed.
READING PCAPS
Instead of having Snort listen on an interface, you tin requite it a packet capture to read. Snort will read and analyze the packets as if they came off the wire. This tin can exist useful for testing and debugging Snort. Read a single pcap $ snort -r foo.pcap $ snort --pcap-single=foo.pcap Read pcaps from a file $ cat foo.txt foo1.pcap foo2.pcap /dwelling/foo/pcaps $ snort --pcap-file=foo.txt This volition read foo1.pcap, foo2.pcap and all files under /home/foo/pcaps. Annotation that Snort will not attempt to decide whether the files nether that directory are really pcap files or not. Read pcaps from a command line list $ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap" This will read foo1.pcap, foo2.pcap and foo3.pcap. Read pcaps nether a directory $ snort --pcap-dir="/domicile/foo/pcaps" This volition include all of the files under /habitation/foo/pcaps. Using filters $ cat foo.txt foo1.pcap foo2.pcap /dwelling house/foo/pcaps $ snort --pcap-filter="*.pcap" --pcap-file=foo.txt $ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps The in a higher place volition simply include files that match the shell pattern "*.pcap", in other words, any file ending in ".pcap". $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \ > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps In the above, the kickoff filter "*.pcap" will only be practical to the pcaps in the file "foo.txt" (and whatsoever directories that are recursed in that file). The improver of the 2nd filter "*.cap" will cause the get-go filter to be forgotten and then practical to the directory /home/foo/pcaps, so only files ending in ".cap" will be included from that directory. $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \ > --pcap-no-filter --pcap-dir=/home/foo/pcaps In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files constitute under /home/foo/pcaps, so all files found under /habitation/foo/pcaps volition be included. $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \ > --pcap-no-filter --pcap-dir=/home/foo/pcaps \ > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2 In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files institute under /home/foo/pcaps, and then all files found under /abode/foo/pcaps will be included, so the filter "*.cap" volition be applied to files found under /habitation/foo/pcaps2. Resetting land $ snort --pcap-dir=/home/foo/pcaps --pcap-reset The above example will read all of the files under /home/foo/pcaps, merely later each pcap is read, Snort volition be reset to a mail service-configuration country, meaning all buffers will exist flushed, statistics reset, etc. For each pcap, it volition exist like Snort is seeing traffic for the first fourth dimension. Press the pcap $ snort --pcap-dir=/habitation/foo/pcaps --pcap-testify The to a higher place example volition read all of the files under /home/foo/pcaps and will impress a line indicating which pcap is currently being read.
RULES
Snort uses a uncomplicated merely flexible rules language to depict network packet signatures and associate them with actions. The electric current rules document can be found at http://www.snort.org/snort-rules.
NOTES
The following signals have the specified effect when sent to the daemon process using the kill(1) command: SIGHUP Causes the daemon to close all opened files and restart. Delight notation that this will only work if the full pathname is used to invoke snort in daemon mode, otherwise snort volition but go out with an error message being sent to syslogd(8). SIGUSR1 Causes the program to dump its current packet statistical information to the console or syslogd(8) if in daemon fashion. SIGUSR2 Causes the program to rotate Perfmonitor statistical information to the console or syslogd(8) if in daemon style. SIGURG Causes the programme to reload attribute table. SIGCHLD Used internally. Please refer to manual for more details. Any other point might crusade the daemon to close all opened files and go out.
HISTORY
Snort has been freely available under the GPL license since 1998.
DIAGNOSTICS
Snort returns a 0 on a successful exit, i if information technology exits on an error.
BUGS
After consulting the BUGS file included with the source distribution, send bug reports to snort-devel@lists.sourceforge.internet
Author
Martin Roesch <roesch@snort.org>
Come across Too
tcpdump(1), pcap(iii) December 2011 SNORT(8)
hollowayhasexce39.blogspot.com
Source: http://manpages.ubuntu.com/manpages/bionic/man8/snort.8.html
0 Response to "Snort Read Network Trace Data Command Line Filter Expression"
Post a Comment