Output Modules 139
preprocessor arpspoof_detect_host: 192.168.1.13 \ 34:45:fd:3e:a2:01
If in any ARP packet these two addresses don’t match, an alert will be generated. You can use multiple lines in the configuration file to create many similar pairs.
4.2 Output Modules
Output modules are used to control the output from Snort detection engine. By default, the output from alerts and logs go into files in the
varlogsnort directory. Using output modules, you can process output and send output messages a number of other
destinations. Commonly used output modules are:
• The database module is used to store Snort output data in databases. • The SNMP module can be used to send Snort alerts in the form of traps to a
management server. • The SMB alerts module can send alerts to Microsoft Windows machines in the
form of pop-up SMB alert windows. • The syslog module logs messages to the syslog utility. Using this module you
can log messages to a centralized logging server. • You can also use XML or CSV modules to save data in XML or comma
separated files. The CSV files can then be imported into databases or spreadsheet software for further processing or analysis.
Output modules can be defined in the Snort configuration file and some of them can also be configured on the command line as well. The general format for defining
the output module inside the configuration file is as follows:
output module_name[: arguments]
For example, if you want to log messages to MySQL database called “snort” using database user name “rr” and password “rr” located on the same machine where Snort is
running, you use the following line in snort.conf file.
output database: log, mysql, user=rr password=rr \ dbname=snort host=localhost
However when you use an output module in the configuration file, alerts will not go into the alert file. Once you place this line in the
snort.conf file, all alerts will go into the MySQL database. There are ways to send alerts to multiple destinations.
140 Chapter 4 • Plugins, Preprocessors and Output Modules
N O T E In addition to the above line, you also need to configure MySQL database and create tables. Discussion about this process is the subject of the next chapter.
Another example of using output modules is as follows. This line in the snort.conf file will cause alerts to be sent as SMB pop-up windows to a list of
hosts located in the workstation.list file.
output alert_smb: workstation.list
Sometimes you may want to send alerts to multiple locations. Defining your own action using the ruletype keyword is a good idea. For example, the following lines in the
snort.conf file will define an action type called “smb_db_alert” that will cause alerts to be sent to both the database and SMB pop-up windows for rules that use this
action type.
ruletype smb_db_alert {
type alert output alert_smb: workstation.list
output database: log, mysql, user=rr password=rr \ dbname=snort host=localhost
}
The following rule uses this new action type. Alerts generated by this rule will go to MySQL database as well as to the Windows machine in the form of pop-up windows.
smb_db_alert icmp any any - 192.168.1.024 any \ fragbits: D; msg: Dont Fragment bit set;
You can also use command line options with some output modules. For example, you can use
-s option to log alerts to Syslog.
4.2.1 The alert_syslog Output Module
Syslog is a system logging daemon available on almost all UNIX systems. It uses a configuration file
etcsyslog.conf where you can define different parameters to determine what happens when a message for a defined facility is received. A detailed
discussion of Syslog is beyond the scope of this book and you should refer to the man- ual pages of
syslogd and syslog.conf. The
alert_syslog module allows you to send alerts to the syslog facility. The Syslog daemon can also be used to forward alerts to some other host as well if you need
centralized logging. The following is the general format for using this module.
output alert_syslog: facility priority options
