144 Chapter 4 • Plugins, Preprocessors and Output Modules
Each workstation name should be listed in workstation.list file on a sepa-
rate line. Note that these are the SMB names, not IP addresses or DNS hostnames. The SMB names of workstations are configured in Control Panel on Windows machines.
The smbclient program resolves these SMB names by itself.
You have to compile the SMB alert support when building Snort using the config- ure script. A typical line to build this support is:
.configure --prefix=optsnort --enable-smbalerts
Refer to Chapter 2 for more information about how to compile Snort. The messen- ger service must be enabled on the Windows system for pop-up windows to be dis-
played.
4.2.5 The log_tcpdump Output Module
This module is used to store alert data in a tcpdump format file that can be viewed later on using
tcpdump or some other tool. This method is quick for heavily loaded networks where you want to offload processing from the Snort system and analyze data
using some other mechanism. Following is the general format for using this module in snort.conf file.
output log_tcpdump: filename
Typical entries in the snort.conf file may look like the following:
output log_tcpdump: varlogsnortsnort_tcpdump.log
In Snort 1.8 and older, Month, Data and Time are pre-pended to the file name so that you can have multiple files every time you restart Snort. In Snort 1.9, the seconds
counter
1
is appended to the file name. Each time you start Snort, a new file is created.
1. In fact, the time function is used in Snort 1.9.0 to determine this number. For more information,
use the “man 2 time” command in Linux.
Figure 4-2 SMB alert display window.
Output Modules 145
Some typical names of files created by using this line in snort.conf file in Snort 1.9
are:
snort_tcpdump.log.1039971287 snort_tcpdump.log.1039971389
If you use the file command to determine the type of the files created by Snort, an output like the following will be displayed.
[rootconformix] file varlogsnort snort_tcpdump.log.1039971287
varlogsnortsnort_tcpdump.log.1039971287: tcpdump capture file little-endian - version 2.4 Ethernet, capture length
1514 [rootconformix]
This output shows that this file is in rcpdump format. Now you can display the contents of this file the captured data using the tcpdump command as follows:
[rootconformix] tcpdump -v -r varlogsnort snort_tcpdump.log.1039971287
11:55:03.163301 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 269 ttl 150, id 0, len 297
11:55:03.166078 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 325 ttl 150, id 1, len 353
11:55:03.168592 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 253 ttl 150, id 2, len 281
11:55:03.170912 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 245 ttl 150, id 3, len 273
11:55:03.173415 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 289 ttl 150, id 4, len 317
11:55:03.175796 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 265 ttl 150, id 5, len 293
11:55:03.178429 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 319 ttl 150, id 6, len 347
11:55:03.181288 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 317 ttl 150, id 7, len 345
11:55:03.183845 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 321 ttl 150, id 8, len 349
11:55:03.186581 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 313 ttl 150, id 9, len 341
[rootconformix]
This is especially useful if you want to create log files in binary format and then use
tcpdump to analyze the log files later.
146 Chapter 4 • Plugins, Preprocessors and Output Modules
4.2.6 The XML Output Module
The Simple Network Modeling Language SNML is available for exporting Snort alerts so they can be read and interpreted by any XML-based interpreter or
browser. Information about Snort XML plug-in is available at http:www.cert.orgkb snortxml. At the time of writing this book, version 0.2 of SNML DTD is available from
this web site and is also available in Appendix E.
Using this plug-in, you can save XML data in a file on the local machine or send it to a web server using HTTP or HTTPS protocols.
General format of using XML output plug-in is as follows:
output xml: [log | alert], [parameter list]
You can use either log or alert option with XML module. In case of alert, only alert messages will be logged. Other parameters that can be used with this plug-in are
listed in Table 4-1.
Note that XML output is important for much web application development and for inte- grating Snort into such systems. Some Snort XML parsers exist, including ACID-XML at http:
www.maximumunix.org, although these are still in their infancy.
Table 4-1 Parameters Used with XML Module Parameter
Description
File Stores data to an XML file.
Protocol Logs message to some other host using that protocol. Important protocols are HTTP,
HTTPS, and TCP. When you use HTTP protocol, you also need to specify a file parameter. Data will be logged to the HTTP server using the POST method in the
specified file. If you want to use HTTPS protocol, you also need to provide file, cert, and key parameters for secure logging. If you use TCP protocol, a server must be lis-
tening to a parrot specified with port parameter.
Host Defines remote host where data will be logged.
Port Defines the port number on the remote host where data will be logged. Default port
numbers for HTTP, HTTPS, and TCP are 80, 443, and 9000 respectively. Cert
This is the certificate to be used with HTTPS protocol. It is X.509 client certificate. Key
The client private key. Ca
The server certificate used for authentication. Server
The Common Name or CN for X.509 certificate.
Output Modules 147
4.2.6.1 Examples
Logging to a file “xmlout” on the local host:
output xml: log, file=xmlout
The date and time will be appended to the name of the file so that data can be saved for multiple Snort sessions.
Logging to a file “xmlout” on host snort.conformix.com using HTTP protocol:
output xml: alert, protocol=http \ host=snort.conformix.com file=xmlout
Logging to a file “xmlout” on host snort.conformix.com using HTTPS protocol:
output xml: alert, protocol=https \ host=snort.conformix.com file=xmlout cert=conformix.crt \
key=conformix.pem ca=ca.crt server=Conformix_server
Logging to a TCP server running on host snort.conformix.com and listening to port number 5555:
output xml: alert, protocol=tcp \ host=snort.conformix.com port=5555
Typical entries present in the output XML file:
?xml version=1.0 encoding=UTF-8? DOCTYPE snort-message-version-0.2
file event version=1.0
sensor encoding=hex detail=full interfaceeth0interface
ipaddr version=4192.168.1.2ipaddr hostnameconformix.conformix.nethostname
sensor signatureICMP Packet with TTL=100signature
timestamp2002-07-23 17:48:31-04timestamp packet
iphdr saddr=192.168.1.100 daddr=192.168.1.2 proto=1 ver=4
hlen=5 len=60 id=37123 ttl=100 csum=519 icmphdr type=8 code=0 csum=23612
data6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869data icmphdr
iphdr packet
event
file