Reading Traffic

Snort is at its best when it has network traffic to inspect, and Snort can perform network inspection in a few different ways. This includes (but is not limited to) reading traffic directly from a packet capture, running passively on a network interface to sniff traffic, and testing Snort's inline injection capabilities locally. Before we can dive into that, we first need to go over how to provide Snort with traffic to inspect.

Specifying LibDAQ directory

First things first, it's important to make sure the Snort 3 install knows where to find the appropriate LibDAQ that we installed earlier. LibDAQ is the "Data Acquisition Library", and at a high-level, it's an abstraction layer used by "modules" to communicate with both hardware and software network data sources. For example, one DAQ module installed by default is the pcap module that is built around around the libpcap library to listen on network interfaces or read from .pcap files.

If users have Snort both 2 and Snort 3 installed on a single system, then that means they also have two LibDAQ versions installed, one for Snort 2 and another Snort 3. Therefore when using Snort 3 on the command line, users must explicitly set the --daq-dir option to tell Snort where to find the appropriate modules.

For example, if the Snort 3 LibDAQ is installed in /usr/local/lib/daq_s3/, then users will want to set --daq-dir to /usr/local/lib/daq_s3/lib/daq:

$ snort --daq-dir /usr/local/lib/daq_s3/lib/daq

Users can run snort --daq-list to see which DAQ modules are available for use.

Reading Packet Captures

The simplest way to see Snort in action is to run it against a packet capture file. Simply pass in a pcap file name to the -r option on the command line, and Snort will process it accordingly:

$ snort -r get.pcap

If successful, Snort will print out basic information about the pcap file that was just read, including details such as the number of packets and the protocols detected.

Users can also run Snort against an entire directory of pcaps with the --pcap-dir option. If that directory contains files other pcaps, then the --pcap-filter option can be used to tell Snort which of those files to process. For instance:

$ snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap'

Running Snort on Network Interfaces

Snort can also listen on active network interfaces, and specifying it to do so is done with the -i option followed by the interface names to run on. The following command, for example, runs Snort on the eth0 network interface:

$ snort -i eth0

Modes of operation

With certain DAQ modules, Snort is able to utilize two different modes of operation: passive and inline. Passive mode gives Snort the ability to observe and detect traffic on a network interface, but it prevents outright blocking of traffic. Inline mode on the other hand, does give Snort the ability to block traffic if a particular packet warrants such an event.

Snort will infer the particular mode of operation based on the options used at the command line. For example, reading from a pcap file with the -r option or listening on an interface with -i will cause Snort to run in passive mode by default. If the DAQ supports inline, however, then users can specify the -Q flag to run Snort inline.

One DAQ module that supports inline mode is afpacket, which is a module that gives Snort access to packets received on Linux network devices.

Using the afpacket module inline requires specifying a pair of network interfaces in the -i command line option, where each pair is two interface names separated by a colon character.

$ snort -Q --daq afpacket -i "eth0:eth1"