Command Line Basics

Running Snort on the command line is easy, but the number of arguments available might be overwhelming at first. So let's start with the basics.

All Snort commands start with snort, and running this command by itself will show basic usage instructions:

$ snort
    snort -?: list options
    snort -V: output version
    snort --help: help summary
    snort [-options] -c conf [-T]: validate conf
    snort [-options] -c conf -i iface: process live
    snort [-options] -c conf -r pcap: process readback

Fortunately, Snort 3 provides a very robust set of help commands that detail just about every aspect of the engine.

To see the main help "directory", run the following command:

$ snort --help

Snort has several options to get more help:

-? list command line options (same as --help)
--help this overview of help
--help-commands [<module prefix>] output matching commands
--help-config [<module prefix>] output matching config options
--help-counts [<module prefix>] output matching peg counts
--help-limits print the int upper bounds denoted by max*
--help-module <module> output description of given module
--help-modules list all available modules with brief help

As we can see from the output, Snort contains separate help pages for the different parts of the Snort engine, and these subpages can be used to get granular help information about a particular component. Shown below are a few of these help subpages.

Listing all available Snort modules:

$ snort --list-modules

Getting help on a specific Snort module:

$ snort --help-module http_inspect 

Getting help on a specific rule option module:

$ snort --help-module http_uri

Listing command line options available:

$ snort -?

Getting help on the "-A" command line option:

$ snort --help-options A

Getting help with a specific configuration setting:

$ snort --help-config | grep http

Outputting help on "rule" options in an AsciiDoc format:

$ snort --markup --help-options rule