Packages and Binaries:

snort

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.

This package provides the plain-vanilla version of Snort.

Installed size: 9.23 MB
How to install: sudo apt install snort

Dependencies:
  • adduser
  • debconf | debconf-2.0
  • libc6
  • libdaq3
  • libdumbnet1
  • libgcc-s1
  • libhwloc15
  • libluajit-5.1-2 | libluajit-5.1-2
  • liblzma5
  • libnuma1
  • libpcap0.8t64
  • libpcre3
  • libssl3t64
  • libstdc++6
  • logrotate
  • net-tools
  • rsyslog | system-log-daemon
  • snort-common
  • snort-common-libraries
  • snort-rules-default
  • zlib1g
appid_detector_builder.sh
root@kali:~# appid_detector_builder.sh -h
Snort Application Id - Detector Creation Tool

Enter below, the AppId string to be associated with the Detector.
(e.g. "CNN.com", "Yahoo!", "Avira Download/Update", etc.)
AppId strings MUST NOT INCLUDE tab, backslash, apostrophe, or double-quote.


snort
root@kali:~# snort -h

Snort has several options to get more help:

-? list command line options (same as --help)
--help this overview of help
--help-commands [<module prefix>] output matching commands
--help-config [<module prefix>] output matching config options
--help-counts [<module prefix>] output matching peg counts
--help-limits print the int upper bounds denoted by max*
--help-module <module> output description of given module
--help-modules list all available modules with brief help
--help-modules-json dump description of all available modules in JSON format
--help-plugins list all available plugins with brief help
--help-options [<option prefix>] output matching command line options
--help-signals dump available control signals
--list-buffers output available inspection buffers
--list-builtin [<module prefix>] output matching builtin rules
--list-gids [<module prefix>] output matching generators
--list-modules [<module type>] list all known modules
--list-plugins list all known modules
--show-plugins list module and plugin versions

--help* and --list* options preempt other processing so should be last on the
command line since any following options are ignored.  To ensure options like
--markup and --plugin-path take effect, place them ahead of the help or list
options.

Options that filter output based on a matching prefix, such as --help-config
won't output anything if there is no match.  If no prefix is given, everything
matches.

Report bugs to [email protected].


snort2lua
root@kali:~# snort2lua -h
Usage: snort2lua [OPTIONS]... -c <snort_conf> ...

Converts the Snort configuration file specified by the -c or --conf-file
options into a Snort++ configuration file



Options:

-?                  show usage
-h                  this overview of snort2lua
-a                  default option.  print all data
-c <snort_conf>     The Snort <snort_conf> file to convert
-d                  print the differences, and only the differences, between the
                    Snort and Snort++ configurations to the <out_file>
-e <error_file>     output all errors to <error_file>
-i                  if <snort_conf> file contains any <include_file> or
                    <policy_file> (i.e. 'include path/to/conf/other_conf'), do
                    NOT parse those files
-m                  add a remark to the end of every converted rule
-o <out_file>       output the new Snort++ lua configuration to <out_file>
-q                  quiet mode. Only output valid configuration information to
                    the <out_file>
-r <rule_file>      output any converted rule to <rule_file>
-s                  when parsing <include_file>, write <include_file>'s rules to
                    <rule_file>. Meaningless if '-i' provided
-t                  when parsing <include_file>, write <include_file>'s
                    information, excluding rules, to <out_file>. Meaningless if
                    '-i' provided
-V                  Print the current Snort2Lua version
--bind-wizard       Add default wizard to bindings
--bind-port         Convert port bindings
--conf-file         Same as '-c'. A Snort <snort_conf> file which will be
                    converted
--dont-parse-includes  
                    Same as '-p'. if <snort_conf> file contains any
                    <include_file> or <policy_file> (i.e. 'include
                    path/to/conf/other_conf'), do NOT parse those files
--dont-convert-max-sessions  
                    do not convert max_tcp, max_udp, max_icmp, max_ip to
                    max_session
--error-file=<error_file>  
                    Same as '-e'. output all errors to <error_file>
--help              Same as '-h'. this overview of snort2lua
--ips-policy-pattern  Convert config bindings matching this path to ips policy
                    bindings
--markup            print help in asciidoc compatible format
--output-file=<out_file>  
                    Same as '-o'. output the new Snort++ lua configuration to
                    <out_file>
--print-all         Same as '-a'. default option.  print all data
--print-differences  Same as '-d'. output the differences, and only the
                    differences, between the Snort and Snort++ configurations to
                    the <out_file>
--quiet             Same as '-q'. quiet mode. Only output valid configuration
                    information to the <out_file>
--remark            same as '-m'.  add a remark to the end of every converted
                    rule
--rule-file=<rule_file>  
                    Same as '-r'. output any converted rule to <rule_file>
--single-conf-file  Same as '-t'. when parsing <include_file>, write
                    <include_file>'s information, excluding rules, to
                    <out_file>
--single-rule-file  Same as '-s'. when parsing <include_file>, write
                    <include_file>'s rules to <rule_file>.
--version           Same as '-V'. Print the current Snort2Lua version



Required option:

	A Snort configuration file to convert. Set with either '-c' or '--conf-file'


Default values:
	<out_file>   =  snort.lua
	<rule_file>  =  <out_file> = snort.lua.  Rules are written to the 'local_rules' variable in the <out_file>
	<error_file> =  snort.rej.  This file will not be created in quiet mode.


u2boat

Unified2 Binary Output & Alert Tool

root@kali:~# man u2boat
U2BOAT(1)                   General Commands Manual                   U2BOAT(1)

NAME
       u2boat - Unified2 Binary Output & Alert Tool

SYNOPSIS
       u2boat [-t type] <infile> <outfile>

DESCRIPTION
       This manual page documents briefly the u2boat command.  This manual page
       was  written  for  the  Debian distribution because the original program
       does not have a manual page.

       u2boat is a utility that converts Snort's Unified2 logs  to  other  for-
       mats.  It was introduced in Snort due to the lack of support for formats
       that were present in the Snort 2.8.x releases.  Unified2 logs  to  other
       formats.

OPTIONS
       -t type
              Type specifies the type of output that the program should create.
              The only current valid option is 'pcap'

SEE ALSO
       snort (8)

AUTHOR
       This program was written by Ryan Jordan.

       This  manual  page  was  written  by  Javier Fernandez-Sanguino <jfs@de-
       bian.org>, for the Debian GNU/Linux system (but may be used by others).

                               12th December 2014                     U2BOAT(1)

u2spewfoo

Tool for dumping the contents of unified2 files to stdout

root@kali:~# man u2spewfoo
U2SPEWFOO(1)                General Commands Manual                U2SPEWFOO(1)

NAME
       u2spewfoo -  tool for dumping the contents of unified2 files to stdout

SYNOPSIS
       u2boat <infile>

DESCRIPTION
       This  manual  page documents briefly the u2spewfoo command.  This manual
       page was written for the Debian distribution because the  original  pro-
       gram does not have a manual page.

       u2spewfoo is a lightweight tool for dumping the contents of Snort's Uni-
       fied2 log files to stdout. In order to use it Snort first has to be con-
       figured to use this format in its configuration file.

       The  tool  will take the log file and dump the information on the events
       in Standard output. This information includes the event and relevant in-
       formation about it (such as IP addresses and ports, the time  the  event
       was  detected,  etc.) as well as the packet that triggered the event (if
       Snort has been configured to store  a  packet  capture  associated  with
       events).

EXAMPLES
       To  use  it  run  it  against  a unified2 log file by running: u2spewfoo
       snort.log

       The following is a sample output of this tool:

       (Event)
           sensor id: 0    event id: 4 event second: 1299698138    event microsecond: 146591
           sig id: 1   gen id: 1   revision: 0  classification: 0
           priority: 0 ip source: 10.1.2.3 ip destination: 10.9.8.7
           src port: 60710 dest port: 80   protocol: 6 impact_flag: 0  blocked: 0

       Packet
           sensor id: 0    event id: 4 event second: 1299698138
           packet second: 1299698138   packet microsecond: 146591
           linktype: 1 packet_length: 54
       [    0] 02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00  ..............E.
       [   16] 00 28 00 06 00 00 40 06 5C B7 0A 01 02 03 0A 09  .(....@........
       [   32] 08 07 ED 26 00 50 00 00 00 62 00 00 00 2D 50 10  ...&.P...b...-P.
       [   48] 01 00 A2 BB 00 00                                ......

       (ExtraDataHdr)
           event type: 4   event length: 33

       (ExtraData)
           sensor id: 0    event id: 2 event second: 1299698138
           type: 9 datatype: 1 bloblength: 9   HTTP URI: /

       (ExtraDataHdr)
           event type: 4   event length: 78

       (ExtraData)
           sensor id: 0    event id: 2 event second: 1299698138
           type: 10    datatype: 1 bloblength: 12  HTTP Hostname: example.com

SEE ALSO
       snort (8)

AUTHOR
       This program was written by Adam Keeton.

       This manual page  was  written  by  Javier  Fernandez-Sanguino  <jfs@de-
       bian.org>, for the Debian GNU/Linux system (but may be used by others).

                               12th December 2014                  U2SPEWFOO(1)

snort-common

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.

This is a common package which holds cron jobs, tools, and config files used by all the different package flavors.

Installed size: 233 KB
How to install: sudo apt install snort-common

Dependencies:
  • adduser
  • debconf | debconf-2.0
  • dpkg
  • perl

snort-common-libraries

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.

This package provides libraries used by all the Snort binary packages.

Installed size: 1.27 MB
How to install: sudo apt install snort-common-libraries

Dependencies:
  • libc6

snort-doc

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.

This package provides the documentation for Snort.

Installed size: 1.50 MB
How to install: sudo apt install snort-doc


snort-rules-default

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.

This is the Snort default ruleset, which provides a basic set of network intrusion detection rules developed by the Snort community. They can be used as a basis for development of additional rules. Users using Snort to defend networks in production environments are encouraged to update their local rulesets as described in the included documentation or using the oinkmaster package.

Installed size: 1.64 MB
How to install: sudo apt install snort-rules-default

Dependencies:
  • adduser
  • debconf | debconf-2.0

Updated on: 2024-May-23