Logging Only Alerts

Table of contents:

Problem

You want to log just the alerts to a file.

Solution

Use the fast alert mode with the -A fast command-line option:

[testuser@localhost snort]# snort -de -c /etc/snort.conf -A fast

You can also use the Barnyard alert_fast plug-in in the /etc/barnyard.conf file:

# alert_fast

#-----------------------------

# Converts data from the dp_alert plugin into an approximation of 

# Snort's "fast alert" mode. Argument: 

 

output alert_fast /var/log/snort/fast_output

 

Discussion

By default, Snort logs in a decoded ASCII format and uses full alerts. A full alert includes the alert message and the full packet header. Snort also includes other alert output options and logging methods, such as fast, full, console, or none.

To produce less output, you can use the fast alert mode with the -A fast command-line option:

[testuser@localhost snort]# snort -de -c /etc/snort.conf -A fast

The -d command-line option logs application-layer information and -e logs data link-layer information. The output then looks like the following:

11/05-22:08:59.705515 [**] [1:469:3] ICMP PING NMAP [**] 

[Classification: Attempted Information Leak][Priority: 2] {ICMP} 

192.168.206.129 -> 192.168.100.5

If you are using unified logging and the Barnyard output utility, you can also log alerts by using the alert_fast output plug-in. Barnyard takes the log processing load off of the Snort engine. Barnyard processing is controlled by input processors and output plug-ins. Chapter 5 contains more information. The following example is from the /etc/barnyard.conf file:

# alert_fast

#-----------------------------

# Converts data from the dp_alert plugin into an approximation of 

# Snort's "fast alert" mode. Argument: 

 

output alert_fast /var/log/snort/fast_output

The Snort output passes to the Barnyard utility via the unified logging plug-in. By default, Barnyard processes the output and logs the alerts to the /var/log/snort/fast_output file. The output looks like the following:

[testuser@localhost snort]# more fast_output

11/06/04-00:32:05.706661 {ICMP} 192.168.206.129 -> 192.168.100.5

[**] [1:469:3] ICMP PING NMAP [**]

[Classification: Attempted Information Leak] [Priority: 2]

[Xref => http://www.whitehats.com/info/IDS162]

---------------------------------------------------------------------

11/06/04-00:32:10.896823 {ICMP} 192.168.206.129 -> 192.168.100.5

[**] [1:469:3] ICMP PING NMAP [**]

[Classification: Attempted Information Leak] [Priority: 2]

[Xref => http://www.whitehats.com/info/IDS162]

---------------------------------------------------------------------

 

See Also

Recipe 5.9

Recipe 2.1

Logging to a CSV File

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net