Logging Only Alerts

Problem

You want to log just the alerts to a file.

Solution

Use the fast alert mode with the -A fast command-line option:

[testuser@localhost snort]# snort -de -c /etc/snort.conf -A fast

You can also use the Barnyard alert_fast plug-in in the /etc/barnyard.conf file:

# alert_fast #----------------------------- # Converts data from the dp_alert plugin into an approximation of # Snort's "fast alert" mode. Argument: output alert_fast /var/log/snort/fast_output

Discussion

By default, Snort logs in a decoded ASCII format and uses full alerts. A full alert includes the alert message and the full packet header. Snort also includes other alert output options and logging methods, such as fast, full, console, or none.

To produce less output, you can use the fast alert mode with the -A fast command-line option:

[testuser@localhost snort]# snort -de -c /etc/snort.conf -A fast

The -d command-line option logs application-layer information and -e logs data link-layer information. The output then looks like the following:

11/05-22:08:59.705515 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak][Priority: 2] {ICMP} 192.168.206.129 -> 192.168.100.5

If you are using unified logging and the Barnyard output utility, you can also log alerts by using the alert_fast output plug-in. Barnyard takes the log processing load off of the Snort engine. Barnyard processing is controlled by input processors and output plug-ins. Chapter 5 contains more information. The following example is from the /etc/barnyard.conf file:

# alert_fast #----------------------------- # Converts data from the dp_alert plugin into an approximation of # Snort's "fast alert" mode. Argument: output alert_fast /var/log/snort/fast_output

The Snort output passes to the Barnyard utility via the unified logging plug-in. By default, Barnyard processes the output and logs the alerts to the /var/log/snort/fast_output file. The output looks like the following:

[testuser@localhost snort]# more fast_output 11/06/04-00:32:05.706661 {ICMP} 192.168.206.129 -> 192.168.100.5 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] [Xref => http://www.whitehats.com/info/IDS162] --------------------------------------------------------------------- 11/06/04-00:32:10.896823 {ICMP} 192.168.206.129 -> 192.168.100.5 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] [Xref => http://www.whitehats.com/info/IDS162] ---------------------------------------------------------------------

See Also

Recipe 5.9

Recipe 2.1