Let's take a look at unified output. We'll use a methodology similar to that in our last Snort Report, namely processing a saved Libpcap file that should trigger one alert. In order to enable unified output, we uncomment these entries in the snort.conf.184.108.40.206 file. (This is simply a renamed copy of the snort.conf that ships with Snort 220.127.116.11.)
output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128
Next we run Snort.
cel433:/usr/local/snort-18.104.22.168# bin/snort -c snort.conf.22.214.171.124 -r www.testmyids.com.lpc -l /tmp/so/unified/ Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! ...edited... Action Stats: ALERTS: 1 LOGGED: 1 PASSED: 0 ...edited... Snort exiting
Now the following exist in the specified log directory.
cel433:/tmp/so/unified# ls -al total 8 drwxr-xr-x 2 root wheel 512 Jun 1 15:47 . drwxr-xr-x 11 root wheel 512 Jun 1 15:41 .. -rw------- 1 root wheel 80 Jun 1 15:47 snort.alert.1180727255 -rw------- 1 root wheel 420 Jun 1 15:47 snort.log.1180727255
Here are the contents of snort.alert.TIMESTAMP as rendered by hd(1).
Obviously we need help decoding the contents of this file!
Here are the contents of snort.log.TIMESTAMP as rendered by hd(1).
This file is also difficult to interpret, although the packet details are visible. Layer 7 content appears on line 0x80 with HTTP/1.1 and is easily recognized. Layer 2 content, starting with destination MAC address, starts at line 0x50 with 00 02 b3 0a cd 5e.
A look at the actual offending packet using TCPdump and its -XX switch reveals the same traffic:
Now that we have alerts and logs in unified format, the question becomes what do we do with them?
Working with unified output
Examining unified output
Unified output readers
Barnyard processing alerts
Barnyard processing logs
Barnyard working with databases
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.
This was first published in July 2007