Output options for Snort data

Without output options, VARs can't produce Snort data in a meaningful manner. Learn the capabilities and limitations of different features, in this edition of Snort Report by intrusion detection expert Richard Bejtlich.

Output modes are the methods by which Snort reports its findings when run in IDS mode. As discussed in the first Snort Report, Snort can also run in sniffer and packet logger modes. In sniffer mode, Snort writes traffic directly to the console. As a packet logger, Snort writes packets to disk in Libpcap format. This article describes output options for IDS mode, called via the -c [snort.conf] switch. Only IDS mode offers output opt...

ions.

This is the first of two Snort Reports in which I address output options. Without output options, consultants and VARs can't produce Snort data in a meaningful manner. Because output options vary widely, it's important to understand the capabilities and limitations of different features. In this edition of Snort Report, I describe output options available from the command line and their equivalent options (if available) in the snort.conf file. I don't discuss the Unix socket option (-A unsock or alert_unixsock). I will conclude with a description of logging directly to a MySQL database, which I don't recommend but explain for completeness.

Preparation

Running Snort in IDS mode requires changes to the snort.conf file (here called snort.conf.2.6.1.4) in order to enable various options. The following diff (a Unix program that shows changes between two files) shows the changes between the snort.conf file shipping with Snort 2.6.1.4 and my configuration file called snort.conf.2.6.1.4.

cel433:/usr/local/snort-2.6.1.4# diff -u snort.conf 
snort.conf.2.6.1.4
--- snort.conf  Tue Apr 24 15:24:48 2007
+++ snort.conf.2.6.1.4  Tue Apr 24 15:41:11 2007
@@ -111,7 +111,7 @@
 # Path to your rules files (this can be a relative path)
 # Note for Windows users:  You are advised to 
make this an absolute path,
 # such as:  c:\snort\rules
-var RULE_PATH ../rules
+var RULE_PATH /nsm/rules/cel433
 
 # Configure the snort decoder
 # ============================
@@ -167,6 +167,7 @@
 # resources:
 #
 # config detection: search-method lowmem
+config detection: search-method ac-bnfa
 
 # Configure Inline Resets
 # ========================
@@ -194,7 +195,8 @@
 # Load all dynamic preprocessors from the install path
 # (same as command line option --dynamic-preprocessor-lib-dir)
 #
-dynamicpreprocessor directory /usr/local/lib/
snort_dynamicpreprocessor/
+#dynamicpreprocessor directory /usr/local/lib/
snort_dynamicpreprocessor/
+dynamicpreprocessor directory /usr/local/snort-2.6.1.4/lib/
snort_dynamicpreprocessor/
 #
 # Load a specific dynamic preprocessor library from the install path
 # (same as command line option --dynamic-preprocessor-lib)
@@ -204,7 +206,8 @@
 # Load a dynamic engine from the install path
 # (same as command line option --dynamic-engine-lib)
 #
-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+#dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+dynamicengine /usr/local/snort-2.6.1.4/lib/snort_dynamicengine/
libsf_engine.so
 #
 # Load all dynamic rules libraries from the install path
 # (same as command line option --dynamic-detection-lib-dir)

Read part 2, Command line output modes


This was first published in June 2007

Dig deeper on Application security and data protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close