Fast Logging

Table of contents:

Problem

You have so much data that you need to log only basic information from each event.

Solution

Use the Snort alert_fast output plug-in.

output alert_fast: filename

The data from the logfile could then be displayed or sorted somewhere else for use on a quick status or ESM/SIM high-level view of what attacks are occurring on your network.

Discussion

To enable the alert_fast output plug-in, edit the snort.conf file under the section for output plug-ins and place the following as the first plug-in:

output alert_fast: fast_logging.txt

The snort.conf file is read from the top down, so the closer to the top, the quicker your settings will take effect in the Snort startup process. The path will be set when you pass Snort the -l option to specify the logging directory.

This output plug-in should really not be used in a production environment unless setting up Barnyard is not an option. This plug-in takes no options other than the filename to use for logging events. One possible use of this plug-in would be to take the events being logged and display them for a quick status page.

The following is an example of the fast_logging.txt output when Snort detects an Nmap scan:

# cat fast_logging.txt 

11/20-01:00:52:856446 [**] [1:469:3] ICMP PING NMAP [**] 

[Classification: Attempted Information Leak] [Priority: 2] {ICMP} 

10.0.1.5 -> 10.0.1.100

The best solution for an output plug-in such as this would be to spend some time developing a "status" page for the events to be filtered through. This would be good not only for keeping an eye on whether your Snort processes are working, but also for determining the speed and type of attacks coming to your network from each sensor.

See Also

Snort Users Manual

Php.net for Web-based ideas

Cpan.perl.org for more Perl ideas

Logging to a Unix Socket

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net