144 Chapter 4 • Plugins, Preprocessors and Output Modules Each workstation name should be listed in workstation.list file on a sepa- rate line. Note that these are the SMB names, not IP addresses or DNS hostnames. The SMB names of workstations are configured in Control Panel on Windows machines. The smbclient program resolves these SMB names by itself. You have to compile the SMB alert support when building Snort using the config- ure script. A typical line to build this support is: .configure --prefix=optsnort --enable-smbalerts Refer to Chapter 2 for more information about how to compile Snort. The messen- ger service must be enabled on the Windows system for pop-up windows to be dis- played.

4.2.5 The log_tcpdump Output Module

This module is used to store alert data in a tcpdump format file that can be viewed later on using tcpdump or some other tool. This method is quick for heavily loaded networks where you want to offload processing from the Snort system and analyze data using some other mechanism. Following is the general format for using this module in snort.conf file. output log_tcpdump: filename Typical entries in the snort.conf file may look like the following: output log_tcpdump: varlogsnortsnort_tcpdump.log In Snort 1.8 and older, Month, Data and Time are pre-pended to the file name so that you can have multiple files every time you restart Snort. In Snort 1.9, the seconds counter 1 is appended to the file name. Each time you start Snort, a new file is created. 1. In fact, the time function is used in Snort 1.9.0 to determine this number. For more information, use the “man 2 time” command in Linux. Figure 4-2 SMB alert display window. Output Modules 145 Some typical names of files created by using this line in snort.conf file in Snort 1.9 are: snort_tcpdump.log.1039971287 snort_tcpdump.log.1039971389 If you use the file command to determine the type of the files created by Snort, an output like the following will be displayed. [rootconformix] file varlogsnort snort_tcpdump.log.1039971287 varlogsnortsnort_tcpdump.log.1039971287: tcpdump capture file little-endian - version 2.4 Ethernet, capture length 1514 [rootconformix] This output shows that this file is in rcpdump format. Now you can display the contents of this file the captured data using the tcpdump command as follows: [rootconformix] tcpdump -v -r varlogsnort snort_tcpdump.log.1039971287 11:55:03.163301 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 269 ttl 150, id 0, len 297 11:55:03.166078 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 325 ttl 150, id 1, len 353 11:55:03.168592 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 253 ttl 150, id 2, len 281 11:55:03.170912 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 245 ttl 150, id 3, len 273 11:55:03.173415 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 289 ttl 150, id 4, len 317 11:55:03.175796 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 265 ttl 150, id 5, len 293 11:55:03.178429 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 319 ttl 150, id 6, len 347 11:55:03.181288 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 317 ttl 150, id 7, len 345 11:55:03.183845 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 321 ttl 150, id 8, len 349 11:55:03.186581 192.168.1.1.1901 239.255.255.250.1900: [udp sum ok] udp 313 ttl 150, id 9, len 341 [rootconformix] This is especially useful if you want to create log files in binary format and then use tcpdump to analyze the log files later. 146 Chapter 4 • Plugins, Preprocessors and Output Modules

4.2.6 The XML Output Module

The Simple Network Modeling Language SNML is available for exporting Snort alerts so they can be read and interpreted by any XML-based interpreter or browser. Information about Snort XML plug-in is available at http:www.cert.orgkb snortxml. At the time of writing this book, version 0.2 of SNML DTD is available from this web site and is also available in Appendix E. Using this plug-in, you can save XML data in a file on the local machine or send it to a web server using HTTP or HTTPS protocols. General format of using XML output plug-in is as follows: output xml: [log | alert], [parameter list] You can use either log or alert option with XML module. In case of alert, only alert messages will be logged. Other parameters that can be used with this plug-in are listed in Table 4-1. Note that XML output is important for much web application development and for inte- grating Snort into such systems. Some Snort XML parsers exist, including ACID-XML at http: www.maximumunix.org, although these are still in their infancy. Table 4-1 Parameters Used with XML Module Parameter Description File Stores data to an XML file. Protocol Logs message to some other host using that protocol. Important protocols are HTTP, HTTPS, and TCP. When you use HTTP protocol, you also need to specify a file parameter. Data will be logged to the HTTP server using the POST method in the specified file. If you want to use HTTPS protocol, you also need to provide file, cert, and key parameters for secure logging. If you use TCP protocol, a server must be lis- tening to a parrot specified with port parameter. Host Defines remote host where data will be logged. Port Defines the port number on the remote host where data will be logged. Default port numbers for HTTP, HTTPS, and TCP are 80, 443, and 9000 respectively. Cert This is the certificate to be used with HTTPS protocol. It is X.509 client certificate. Key The client private key. Ca The server certificate used for authentication. Server The Common Name or CN for X.509 certificate. Output Modules 147

4.2.6.1 Examples

Logging to a file “xmlout” on the local host: output xml: log, file=xmlout The date and time will be appended to the name of the file so that data can be saved for multiple Snort sessions. Logging to a file “xmlout” on host snort.conformix.com using HTTP protocol: output xml: alert, protocol=http \ host=snort.conformix.com file=xmlout Logging to a file “xmlout” on host snort.conformix.com using HTTPS protocol: output xml: alert, protocol=https \ host=snort.conformix.com file=xmlout cert=conformix.crt \ key=conformix.pem ca=ca.crt server=Conformix_server Logging to a TCP server running on host snort.conformix.com and listening to port number 5555: output xml: alert, protocol=tcp \ host=snort.conformix.com port=5555 Typical entries present in the output XML file: ?xml version=1.0 encoding=UTF-8? DOCTYPE snort-message-version-0.2 file event version=1.0 sensor encoding=hex detail=full interfaceeth0interface ipaddr version=4192.168.1.2ipaddr hostnameconformix.conformix.nethostname sensor signatureICMP Packet with TTL=100signature timestamp2002-07-23 17:48:31-04timestamp packet iphdr saddr=192.168.1.100 daddr=192.168.1.2 proto=1 ver=4 hlen=5 len=60 id=37123 ttl=100 csum=519 icmphdr type=8 code=0 csum=23612 data6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869data icmphdr iphdr packet event file