Fast Logging
Problem
You have so much data that you need to log only basic information from each event.
Solution
Use the Snort alert_fast output plug-in.
output alert_fast: filename
The data from the logfile could then be displayed or sorted somewhere else for use on a quick status or ESM/SIM high-level view of what attacks are occurring on your network.
Discussion
To enable the alert_fast output plug-in, edit the snort.conf file under the section for output plug-ins and place the following as the first plug-in:
output alert_fast: fast_logging.txt
The snort.conf file is read from the top down, so the closer to the top, the quicker your settings will take effect in the Snort startup process. The path will be set when you pass Snort the -l option to specify the logging directory.
This output plug-in should really not be used in a production environment unless setting up Barnyard is not an option. This plug-in takes no options other than the filename to use for logging events. One possible use of this plug-in would be to take the events being logged and display them for a quick status page.
The following is an example of the fast_logging.txt output when Snort detects an Nmap scan:
# cat fast_logging.txt 11/20-01:00:52:856446 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 10.0.1.5 -> 10.0.1.100
The best solution for an output plug-in such as this would be to spend some time developing a "status" page for the events to be filtered through. This would be good not only for keeping an eye on whether your Snort processes are working, but also for determining the speed and type of attacks coming to your network from each sensor.
See Also
Snort Users Manual
Php.net for Web-based ideas
Cpan.perl.org for more Perl ideas
Logging to a Unix Socket
|