Home
Topics
Security Channel
Network security products, technologies, services
Examining unified Snort output

Examining unified Snort output

Let's take a look at unified output. We'll use a methodology similar to that in our last Snort Report, namely processing a saved Libpcap file that should trigger one alert. In order to enable unified output, we uncomment these entries in the snort.conf.2.6.1.4 file. (This is simply a renamed copy of the snort.conf that ships with Snort 2.6.1.4.)

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

Next we run Snort.

cel433:/usr/local/snort-2.6.1.4# bin/snort -c 
snort.conf.2.6.1.4 -r www.testmyids.com.lpc -l /tmp/so/unified/
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
...edited...
Action Stats:
ALERTS: 1
LOGGED: 1
PASSED: 0
...edited...
Snort exiting

Now the following exist in the specified log directory.

cel433:/tmp/so/unified# ls -al
total 8
drwxr-xr-x   2 root  wheel  512 Jun  1 15:47 .
drwxr-xr-x  11 root  wheel  512 Jun  1 15:41 ..
-rw-------   1 root  wheel   80 Jun  1 15:47 snort.alert.1180727255
-rw-------   1 root  wheel  420 Jun  1 15:47 snort.log.1180727255

Here are the contents of snort.alert.TIMESTAMP as rendered by hd(1).

Obviously we need help decoding the contents of this file!

Here are the contents of snort.log.TIMESTAMP as rendered by hd(1).

This file is also difficult to interpret, although the packet details are visible. Layer 7 content appears on line 0x80 with HTTP/1.1 and is easily recognized. Layer 2 content, starting with destination MAC address, starts at line 0x50 with 00 02 b3 0a cd 5e.

A look at the actual offending packet using TCPdump and its -XX switch reveals the same traffic:

Now that we have alerts and logs in unified format, the question becomes what do we do with them?

Working with unified output

Introduction
Examining unified output
Unified output readers
Barnyard processing alerts
Barnyard processing logs
Barnyard working with databases

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

More News and Tutorials

Articles

Snort.conf output options

Output options for Snort data

Barnyard processing logs for Snort

Snort command line output modes

Barnyard processing alerts for Snort

This was first published in July 2007

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

More from Related TechTarget Sites

Microscope
Cloud Provider
Security
Networking
Storage
Cloud computing
Server Virtualization
Data Backup

MicroscopeUK
- Dell appoints new UK head to drive services transformation
  
  As Dell attempts to reinvent itself the company has a new UK head, Tim Griffin, who aims to deliver a single-country focus
- Microsoft finds that cloud equals confidence for SMEs
  
  Those SMEs that have made the investment in cloud are more confident about their growth prospects in the future according to Microsoft research
- Newcomer Zayo warns over cloud competition as it woos MSPs
  
  Infrastructure provider Zayo believes an old-school approach to infrastructure sales in the face of growing cloud demands will win channel hearts and minds as it seeks to build out a UK MSP community
Cloud Provider
- What are the different phases of an IPv6 implementation?
  
  In an IPv6 implementation, it's important to spend time with each of the five phase of the process, IPv6 expert Chip Popoviciu says.
- MSPAlliance cloud insurance offers liability coverage for providers
  
  The MSPAlliance introduces new cloud insurance program, offering extended liability coverage for providers and peace of mind for customers.
- SDN's missing links: Five barriers blocking SDN adoption by providers
  
  As more providers move to deploy SDN, adoption is being hindered by crucial gaps in device standards and tools for network control.
Security
- Open source security tools: Getting more out of an IT security budget
  
  Open source security tools can help stretch your IT security budget further -- that is, if you use them strategically. Joseph Granneman explains how.
- Using network flow analysis to improve network security visibility
  
  To overcome network security issues from advanced attackers and BYOD, security professionals are turning to network flow analysis to gain improved network security visibility.
- Sourcefire updates malware detection, malware analysis capabilities
  
  New features for detecting and analyzing malware in Sourcefire's FireAMP and FirePOWER products supplement flagging signature-based antimalware.
Networking
- Networking blogs: The MapR platform strategy; Tax Day case for IPv6
  
  This week, networking bloggers point out the steady progress of the MapR platform and make a case for the serious adoption of IPv6.
- WAN optimizer form factor differences don't dictate superiority
  
  The WAN optimization Magic Quadrant reveals different WAN optimizer form factors are helping to better match evolving enterprise requirements.
- Using big data analysis to harness your network operations
  
  Big data is all the craze, but analyzing big data intelligently can help network administrators pinpoint potential problems.
searchStorage
- Permabit Technology extends primary data deduplication software
  
  Permabit tries to make its primary deduplication software more palatable to OEMs by adding compression and replication plug-ins.
- HP cloud storage service features open source OpenStack object store
  
  HP cloud storage service uses open source OpenStack object store to attract developers, ISVs and enterprises in competition against Amazon S3.
- Can storage hypervisors bring high availability to the cloud?
  
  Learn how the advanced functionality of a storage hypervisor provides a cloud infrastructure with high availability.
Cloud computing
- Sequestration stymies federal government cloud ambitions
  
  The federal government is under mandates to consolidate data centers and deliver IT as a Service, but sequestration makes this easier said than done.
- VMware charges into public cloud IaaS fray as Dell exits
  
  Dell will discontinue its OpenStack and VMware vCloud-based public cloud offerings as VMware delivers its vCloud IaaS.
- Cloud migration obstacles remain for heavily regulated industries
  
  Financial, government and healthcare industries must overcome data security breaches and regulatory issues for a successful cloud migration.
Server Virtualization
- Strike a common-sense balance when deciding what to automate
  
  Consider the many factors that determine the potential return on investment when deciding when and what to automate.
- How can I enable automated VM resource provisioning?
  
  As with many other facets of virtualization, VM resource allocation is becoming automated. Find out what tools you can use for automated provisioning.
- Columbia Sportswear's move from virtualization to private cloud computing
  
  Columbia Sportswear parlayed server virtualization into a private cloud. Along the way, it found that its management tools needed serious rethinking.
searchDataBackup
- The pros and cons of integrated backup appliances
  
  Find out whether integrated backup appliances with backup software, server and storage offer any benefits beyond ease of installation.
- Quantum vmPRO adds LTFS tape support, DXi V-Series gains capacity
  
  Quantum upgrades its vmPRO virtual machine backup appliance, supporting 24 TB of pre-deduped data and LTFS tape in a virtual appliance.
- Veeam Software adds WAN acceleration, tape support for VM backup
  
  Veeam upgrades its virtual machine backup software, building WAN acceleration and native tape support into Backup & Recovery v7.

All Rights Reserved,Copyright 2006 - 2013, TechTarget