154 Chapter 4 • Plugins, Preprocessors and Output Modules output alert_unified: filename unified_alert, limit 50 output log_unified: filename unified_log, limit 200 If no path is specified, the files are created in varlogsnort directory. In the above example, the alert file will not grow more than 50 MBytes and the maximum size of the log file will be 200 MBytes. The number of seconds as returned by the time function are added at the end of file name so that when you restart Snort, new files are created. Some typical names for alert and log files are: unified_alert.1039992424 unified_log.1039992424 Unified log files are in binary format and you can use utilities to view these. For simple hexadecimal display, you can use the hexdump utility on Linux. Barnyard is another tool for this purpose. Refer to the Barnyard web site at http:sourceforge.net projectsbarnyard. This tool is discussed in Chapter 6 also.

4.2.10 SNMP Traps Output Module

The SNMP traps output module is very useful to send alerts as SNMP traps to a centrally managed network operations center. Snort SNMP output module can generate both SNMPv2 and SNMPv3 traps. The general format of SNMPv2 trap is as follows: output trap_snmp: alert, sensor_ID, {trap|inform} \ -v snmp_version -p port_number hostname community The following line sends SNMP version 2C traps to host 192.168.1.3 on port 162, which is the standard port for SNMP traps. The community name used is “public”. output trap_snmp: alert, 8, trap -v 2c -p 162 \ 192.168.1.3 public You should modify community to a different string. “Public” is the default com- munity name and is known to everyone in the SNMP world. Refer to the example lines provided in snort.conf file for SNMP version 3 traps. To enable SNMP support in Snort, you have to compile it into Snort at the time you run the configure script. The following configure script command line can be used for this purpose. .configure --prefix=optsnort --with-snmp --with-openssl You also need to compile OpenSSL support in Snort. Refer to Chapter 2 for more information about how to build Snort. Using BPF Fileters 155

4.2.11 Log Null Output Module

This output plug-in causes alert entries not to be logged. For example, you can create a rule type to send SNMP traps without logging these messages. However, I would not recommend using it. You should always have a record of alerts so that if you want to take any action against intruders, you have some evidence of the IDS activities.

4.3 Using BPF Fileters

Berkley Packet Filter BPF is a mechanism of filtering data packets at the data link layer level. These filters are extensively used with the tcpdump program to filter data that you want to capture. You can use BPF filters with Snort as well. When using BPF filters, Snort rules are applied only to those packets that pass BPF filters. This way you can save some CPU time by not applying Snort rules to packets that are of no inter- est. For example, the BPF filters can be used to compare a particular byte from the start- ing offset of the IP header, TCP header or UDP header. You can place BPF filters in a file and use that file on the command line when starting Snort. Let us suppose you want to apply Snort only on packets for which the Type of Service TOS field in the IP header is not equal to 0. The TOS field is the sec- ond byte in the IP header. For this purpose, you can create a file bpf.txt with the follow- ing line in it: ip[1] = 0 Number 1 is the offset starting from the IP header part of the data packet. The off- set starts from 0, so byte number 1 is the TOS field. For the structure of the IP header, refer to Appendix C. After creating this file, you can use the following command line to start Snort to enable the filter. snort -F bpf.txt -c optsnortetcsnort.conf Only those packets in which the TOS field has some value other than 0 will reach Snort detection engine. A TOS value equal to 0 shows normal data traffic and any other value is used for high priority data packets.