Snort-NG User
Manual
The usage of Snort-NG is very similar to the standard Snort. Configuration files and
signature rules that can be used by Snort should also be useable after
the Snort-NG patch has been applied. Only the internal mechanisms have
been changed.
The only differences are:
- Per default, Snort-NG
reports all matching rules that trigger when a packet is analyzed. If
this behavior is not desirable, it is possible with the -j switch to
revert to a Snort-compatible mode where detection stops after the
first matching rule has been determined.
- For testing purposes, we
introduced a -J switch that causes Snort to output internal
identifiers of matching rules. As it makes execution slower, it is
advised not to use that option.
- When writing signatures,
Snort-NG makes it possible to specify the operators <,>,<=,>=,=
and != for all features of type integer. A simple rule that uses
that option is
alert icmp ![192.168.0.1/32, 192.168.0.2/32] any <> any any (msg: "test";
itype: >5; icode: !=2;)
Snort-NG Maintainer