Logging in Binary
Problem
You want to log packets in binary format.
Solution
There are several options available to log packets in binary format.
Use the -b command-line option along with the -l option:
C:Snortin>snort -l c:snortlog -b
Use the -L option to specify a name for the binary file:
C:Snortin>snort -l c:snortlog -L test
Use the /etc/snort.conf file to enable the log_tcpdump output plug-in:
# log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # output log_tcpdump: tcpdump.log
Use the /etc/snort.conf file to enable the unified output plug-in
output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128
Discussion
To log in binary format, you use the -b command-line option in conjunction with -l. The -b option specifies to log the packets in binary format. You won't see any data output on the screen when you are logging in binary format, unless you also use the -v command-line option. You don't need to specify the -d or -e command-line options, because by default, the binary option logs the entire packet.
C:Snortin>snort -l c:snortlog -b
The previous command creates a file called snort.log.1084553605 in the C:Snortlog directory. In addition, you can specify a name for the logfile by using the -L option. When using the -L option, you don't need to specify the -b option because it automatically logs in binary format.
C:Snortin>snort -l c:snortlog -L test
The previous command creates a file called test.1084554709 in the C:Snortlog directory.
If you run Snort in network intrusion detection (NIDS) mode, you can also perform binary logging by uncommenting the following line from the /etc/snort.conf file:
# log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # output log_tcpdump: tcpdump.log
Unified logging also logs in binary format; however, it uses a Snort output plug-in to reduce the load on the Snort processing engine. To enable unified logging, uncomment and configure the following output plug-ins in the /etc/snort.conf file:
# unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging and # generating alerts from Snort, the "unified" format. The unified # format is a straight binary format for logging data out of Snort # that is designed to be fast and efficient. Used with barnyard (the # new alert/log processor), most of the overhead for logging and # alerting to various slow storage mechanisms such as databases or the # network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128
Both the filename and file size limit parameters are configurable. Unified logs have a unique, varying number appended to the filename (e.g., snort.alert.1099412241) to ensure that existing files are not overwritten. This number is known as Epoch time: the number of seconds since 01-01-1970.
Binary logging makes logging more efficient because the Snort engine doesn't have to translate the data into human-readable format. Logging traffic in binary mode is far less resource intensive than in other modes. Binary files can then be reviewed later using Snort, TCPDump, Ethereal, or other binary log-compatible programs. If you are using Snort on a high-speed network, such as 1Gbps or greater, you benefit more from unified logging. This allows the Snort engine to write logs and alerts quickly to a binary file, while offloading the spooling and processing to another program. Offloading the processing of the logs and alerts means that Snort can spend more time capturing data, thus decreasing the likelihood that packets are dropped. Use a unified log reader, such as Barnyard, to process the logfiles.
See Also
Recipe 5.9
Viewing Traffic While Logging
|