Snort Alert Modes 67 Approximate round trip times in milli-seconds: Minimum = 3ms, Maximum = 3ms, Average = 3ms C:\rrehman The “ -n 1” command line option is used to send only one ICMP packet. The “ -i 100” option is used to set the TTL value equal to 100 in the ICMP packet. For details on the format of ICMP packet headers, refer to RFC 792 at ftp:ftp.isi.eduin- notesrfc792.txt or Appendix C. Whenever this command is executed, Snort captures the ICMP packet and creates an alert. The amount of information logged with the alert depends on the particular alerting mode. Now let us see how different alerting modes work on a packet.

2.8.1 Fast Mode

The fast alert mode logs the alert with following information: • Timestamp • Alert message configurable through rules • Source and destination IP addresses • Source and destination ports To configure fast alert mode, you have to use “ -A fast” command line option. This alert mode causes less overhead for the system. The following command starts Snort in fast alert mode: optsnortbinsnort -c optsnortetcsnort.conf -q -A fast The – q option used on the command line stops the initial messages and final sta- tistical summary from being displayed on the screen. Now when you create an alert, it will be logged in varlogsnortalert file. However, you can change the loca- tion of this file using -l command line option. The alert message is similar to the fol- lowing: 0528-22:16:25.126150 [] [1:0:0] Ping with TTL=100 [] {ICMP} 192.168.1.100 - 192.168.1.3 This alert message shows the following information: • Date and time the alert occurred. • Message present in the rule that generated this alert. In this example, the message is “Ping with TTL=100”. • Source address which is 192.168.1.100. 68 Chapter 2 • Installing Snort and Getting Started • Destination address which is 192.168.1.3. • Type of packet; in the above example, type of packet is ICMP. Note that the actual packet is not logged in this file when using this alert mode.

2.8.2 Full Mode

This is the default alert mode. It prints the alert message in addition to the packet header. Let us start Snort with full alerting enabled with the following command: optsnortbinsnort -c optsnortetcsnort.conf -q -A full When Snort generates an alert in this mode, the message logged in varlog snortalert file is similar to the following: [] [1:0:0] Ping with TTL=100 [] 0528-22:14:37.766150 192.168.1.100 - 192.168.1.3 ICMP TTL:100 TOS:0x0 ID:40172 IpLen:20 DgmLen:60 Type:8 Code:0 ID:768 Seq:20224 ECHO As you can see, additional information is logged with the alert message. This additional information shows different values in the packet header, including: • Time to Live TTL value in the IP packet header. For details on TTL value, refer to RFC 791 at ftp:ftp.isi.eduin-notesrfc791.txt • The Type Of Service TOS value in the IP packet header. For details on TOS value, refer to RFC 791 at at ftp:ftp.isi.eduin-notesrfc791.txt and Appendix C. • Length of IP packet header shown as IpLen:20. • Total length of IP packet shown as DgmLen:60. • ICMP Type field. For details on ICMP type field refer to RFC 792. • ICMP code value. For details on ICMP type field refer to RFC 792. • IP packet ID. • Sequence number. • ICMP packet type which is ECHO.

2.8.3 UNIX Socket Mode

If you use “ -a unsock” command line option with Snort, you can send alerts to another program through UNIX sockets. This is useful when you want to process alerts using a custom application with Snort. For more information on socket, use the “ man socket” command.