- Default configuration is in
- A configuration file includes
- Rules files are in
- Start with
snort -c /etc/snort/my-snort.conf.
- A rule must be define on one line only.
- Split into the header and options parts.
# creates an alert for each ICMP packet from and to any IP and port
# the alert contains the message "ICMP Packet"
alert icmp any any -> any any (msg: "ICMP Packet"; sid: 4000001; rev: 1;)
- Alerts in
- Logs in
/var/log/snort/snort.log.<timestamp>. File is in pcap format, readable by tcpdump or Wireshark.