Logging Only Alerts
Problem
You want to log just the alerts to a file.
Solution
Use the fast alert mode with the -A fast command-line option:
[testuser@localhost snort]# snort -de -c /etc/snort.conf -A fast
You can also use the Barnyard alert_fast plug-in in the /etc/barnyard.conf file:
# alert_fast #----------------------------- # Converts data from the dp_alert plugin into an approximation of # Snort's "fast alert" mode. Argument: output alert_fast /var/log/snort/fast_output
Discussion
By default, Snort logs in a decoded ASCII format and uses full alerts. A full alert includes the alert message and the full packet header. Snort also includes other alert output options and logging methods, such as fast, full, console, or none.
To produce less output, you can use the fast alert mode with the -A fast command-line option:
[testuser@localhost snort]# snort -de -c /etc/snort.conf -A fast
The -d command-line option logs application-layer information and -e logs data link-layer information. The output then looks like the following:
11/05-22:08:59.705515 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak][Priority: 2] {ICMP} 192.168.206.129 -> 192.168.100.5
If you are using unified logging and the Barnyard output utility, you can also log alerts by using the alert_fast output plug-in. Barnyard takes the log processing load off of the Snort engine. Barnyard processing is controlled by input processors and output plug-ins. Chapter 5 contains more information. The following example is from the /etc/barnyard.conf file:
# alert_fast #----------------------------- # Converts data from the dp_alert plugin into an approximation of # Snort's "fast alert" mode. Argument: output alert_fast /var/log/snort/fast_output
The Snort output passes to the Barnyard utility via the unified logging plug-in. By default, Barnyard processes the output and logs the alerts to the /var/log/snort/fast_output file. The output looks like the following:
[testuser@localhost snort]# more fast_output 11/06/04-00:32:05.706661 {ICMP} 192.168.206.129 -> 192.168.100.5 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] [Xref => http://www.whitehats.com/info/IDS162] --------------------------------------------------------------------- 11/06/04-00:32:10.896823 {ICMP} 192.168.206.129 -> 192.168.100.5 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] [Xref => http://www.whitehats.com/info/IDS162] ---------------------------------------------------------------------
See Also
Recipe 5.9
Recipe 2.1
Logging to a CSV File
|