Output modes are the methods by which Snort reports its findings when run in IDS mode. As discussed in the first Snort Report, Snort can also run in sniffer and packet logger modes. In sniffer mode, Snort writes traffic directly to the console. As a packet logger, Snort writes packets to disk in Libpcap format. This article describes output options for IDS mode, called via the -c [snort.conf] switch. Only IDS mode offers output opt...
This is the first of two Snort Reports in which I address output options. Without output options, consultants and VARs can't produce Snort data in a meaningful manner. Because output options vary widely, it's important to understand the capabilities and limitations of different features. In this edition of Snort Report, I describe output options available from the command line and their equivalent options (if available) in the snort.conf file. I don't discuss the Unix socket option (-A unsock or alert_unixsock). I will conclude with a description of logging directly to a MySQL database, which I don't recommend but explain for completeness.
Running Snort in IDS mode requires changes to the snort.conf file (here called snort.conf.184.108.40.206) in order to enable various options. The following diff (a Unix program that shows changes between two files) shows the changes between the snort.conf file shipping with Snort 220.127.116.11 and my configuration file called snort.conf.18.104.22.168.
cel433:/usr/local/snort-22.214.171.124# diff -u snort.conf snort.conf.126.96.36.199 --- snort.conf Tue Apr 24 15:24:48 2007 +++ snort.conf.188.8.131.52 Tue Apr 24 15:41:11 2007 @@ -111,7 +111,7 @@ # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules -var RULE_PATH ../rules +var RULE_PATH /nsm/rules/cel433 # Configure the snort decoder # ============================ @@ -167,6 +167,7 @@ # resources: # # config detection: search-method lowmem +config detection: search-method ac-bnfa # Configure Inline Resets # ======================== @@ -194,7 +195,8 @@ # Load all dynamic preprocessors from the install path # (same as command line option --dynamic-preprocessor-lib-dir) # -dynamicpreprocessor directory /usr/local/lib/ snort_dynamicpreprocessor/ +#dynamicpreprocessor directory /usr/local/lib/ snort_dynamicpreprocessor/ +dynamicpreprocessor directory /usr/local/snort-184.108.40.206/lib/ snort_dynamicpreprocessor/ # # Load a specific dynamic preprocessor library from the install path # (same as command line option --dynamic-preprocessor-lib) @@ -204,7 +206,8 @@ # Load a dynamic engine from the install path # (same as command line option --dynamic-engine-lib) # -dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so +#dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so +dynamicengine /usr/local/snort-220.127.116.11/lib/snort_dynamicengine/ libsf_engine.so # # Load all dynamic rules libraries from the install path # (same as command line option --dynamic-detection-lib-dir)
Read part 2, Command line output modes
Dig deeper on Application security and data protection