Snort Trace Modules

Snort 3 also contains new "trace" modules that enable logging Snort's engine output at a very low level to display things such as rule evaluation tracing, buffer dumping, Application ID (wizard) tracing, and much more.

Snort tracing options are configured in Lua, and they can be placed in a tweak file that is included in the Snort configuration being used, or they can be provided directly on the command line.

We can see all the different trace module options and configurations available via the --help-module trace command line option:

$ snort --help-module trace

trace


Help: configure trace log messages

Type: basic

Usage: global

Configuration:

int trace.modules.all: enable trace for all modules { 0:255 }
int trace.modules.appid.all: enable all trace options { 0:255 }
int trace.modules.dce_smb.all: enable all trace options { 0:255 }
int trace.modules.dce_udp.all: enable all trace options { 0:255 }
int trace.modules.decode.all: enable all trace options { 0:255 }
int trace.modules.detection.all: enable all trace options { 0:255 }
int trace.modules.detection.detect_engine: enable detection engine trace logging { 0:255 }
int trace.modules.detection.rule_eval: enable rule evaluation trace logging { 0:255 }
int trace.modules.detection.buffer: enable buffer trace logging { 0:255 }
int trace.modules.detection.rule_vars: enable rule variables trace logging { 0:255 }
…

There are many modules to choose from. These include trace.modules.detection.buffer, which is useful for packet buffer dumping, and trace.modules.wizard, which is used to show application detection information.

Note: To use all available tracing modules, Snort 3 must be configured with the --enable-debug-msgs option.

Using a trace option is done by constructing a trace.modules Lua table and including in it the Lua table constructor(s) of the module(s) to enable. For example, the Lua table to enable the trace.modules.wizard, trace.modules.detection.buffer, and trace.modules.detection.fp_search modules is done like so:

trace.modules = {
    detection = {
        fp_search = 1,
        buffer = 1,
    },
    wizard = {
        all = 1,
    },
}

Setting these values to an integer greater than zero will enable them, and conversely, setting them to zero will disable them.

Once the Lua table has been constructed, users will then include the table declaration either in a tweak file or on the command line with the --lua option.

Below is a list of common trace options that might be useful when working with Snort rules:

OptionResultLua
fp_searchShow fast_pattern buffer name on entrytrace.modules = {detection = {fp_search = 1}}
bufferPrint packet buffertrace.modules = {detection = {buffer = 1}}
rule_varsShow rule variables like byte_extracttrace.modules = {detection = {rule_vars = 1}}
rule_evalShow rule eval tracingtrace.modules = {detection = {rule_eval = 1}}
wizardShow application detection informationtrace.modules = {wizard = { all = 1}}

More Examples

Here are a few examples of specifying tracing on the command line.

This first example incorporates the wizard trace module to display the application detection information:

$ snort -c $my_path/lua/snort.lua -q -r get.pcap -R local.rules -A alert_talos \
        --lua 'trace.modules = {wizard = {all = 1}}'
P0:wizard:all:1: c2s streaming search found service http

##### get.pcap #####
        [1:0:0] GET request (alerts: 1)
#####

This next example uses multiple trace modules, wizard, detection.fp_search, and detection.buffer, to dump application detection information, the packet buffer(s), and rule fast_pattern details.

$ snort -q -r get.pcap -R local.rules -A alert_talos \
        --lua 'trace.modules = {wizard = {all = 2}, \
        detection = {fp_search = 1, buffer = 1}}'
P0:wizard:all:1: c2s streaming search found service http
P0:detection:fp_search:1: 5 fp http_inspect.key[6]

http_inspect.stream_tcp[6]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
2F 68 65 6C 6C 6F                                 /hello
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
P0:detection:buffer:1: Buffer dump - empty buffer

http_inspect.stream_tcp[6]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
2F 68 65 6C 6C 6F                                 /hello
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
P0:detection:buffer:1: Buffer dump - empty buffer

##### get.pcap #####
        [1:0:0] GET request (alerts: 1)
#####