Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.
doug edited this page Aug 27, 2019 · 16 revisions

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Snort.

Description

Snort is a Network Intrusion Detection System (NIDS). It sniffs network traffic and generates IDS alerts.

Performance

In Security Onion, we compile Snort with PF_RING to allow you to spin up multiple instances to handle more traffic.

Configuration

You can configure Snort via snort.conf:
/etc/nsm/HOSTNAME-INTERFACE/snort.conf
(where HOSTNAME is your actual hostname and INTERFACE is your actual sniffing interface)

If you would like to configure/manage IDS rules, please see:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Rules

https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts

Logging

If you need to troubleshoot Snort, check the Snort log file:
/var/log/nsm/HOSTNAME-INTERFACE/snortu-X.log
(where HOSTNAME is your actual hostname, INTERFACE is your actual sniffing interface, and X represents the number of PF_RING instances)

More Information

For more information about Snort, please see:
http://snort.org

Clone this wiki locally