
= Snort 3 Reference Manual
The Snort Team
include::version.txt[]
:revdate: {localdate} {localtime}
:toc:
:toc-placement: manual
:toc-title: Contents

toc::[]

== Help

The detail in this reference manual was generated from the various help commands
available in Snort.  `snort --help` will output:

----
include::help.txt[]
----

== Basic Modules

Internal modules which are not plugins are termed "basic".  These include
configuration for core processing.

include::basic.txt[]

== Codec Modules

Codec is short for coder / decoder.  These modules are used for basic
protocol decoding, anomaly detection, and construction of active responses.

include::codec.txt[]

== Connector Modules

Connectors support High Availability communication links.

include::connector.txt[]

== Inspector Modules

These modules perform a variety of functions, including analysis of
protocols beyond basic decoding.

include::inspector.txt[]

== IPS Action Modules

IPS actions allow you to perform custom actions when events are generated.
Unlike loggers, these are invoked before thresholding and can be used to
control external agents.

Externally defined actions must be configured to become available to the
parser.  For the reject rule, you can set reject = { } to get the rule to
parse.

include::ips_action.txt[]

== IPS Option Modules

IPS options are the building blocks of IPS rules.

include::ips_option.txt[]

== Search Engine Modules

Search engines perform multipattern searching of packets and payload to find
rules that should be evaluated.  There are currently no specific modules,
although there are several search engine plugins.  Related configuration
is done with the basic detection module.

== SO Rule Modules

SO rules are dynamic rules that require custom coding to perform detection
not possible with the existing rule options.  These rules typically do not
have associated modules.

== Logger Modules

All output of events and packets is done by Loggers.

include::logger.txt[]

== Appendix

include::appendix.txt[]

