Output Modules 147
4.2.6.1 Examples
Logging to a file “xmlout” on the local host:
output xml: log, file=xmlout
The date and time will be appended to the name of the file so that data can be saved for multiple Snort sessions.
Logging to a file “xmlout” on host snort.conformix.com using HTTP protocol:
output xml: alert, protocol=http \ host=snort.conformix.com file=xmlout
Logging to a file “xmlout” on host snort.conformix.com using HTTPS protocol:
output xml: alert, protocol=https \ host=snort.conformix.com file=xmlout cert=conformix.crt \
key=conformix.pem ca=ca.crt server=Conformix_server
Logging to a TCP server running on host snort.conformix.com and listening to port number 5555:
output xml: alert, protocol=tcp \ host=snort.conformix.com port=5555
Typical entries present in the output XML file:
?xml version=1.0 encoding=UTF-8? DOCTYPE snort-message-version-0.2
file event version=1.0
sensor encoding=hex detail=full interfaceeth0interface
ipaddr version=4192.168.1.2ipaddr hostnameconformix.conformix.nethostname
sensor signatureICMP Packet with TTL=100signature
timestamp2002-07-23 17:48:31-04timestamp packet
iphdr saddr=192.168.1.100 daddr=192.168.1.2 proto=1 ver=4
hlen=5 len=60 id=37123 ttl=100 csum=519 icmphdr type=8 code=0 csum=23612
data6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869data icmphdr
iphdr packet
event
file
148 Chapter 4 • Plugins, Preprocessors and Output Modules
You need an XML parser and a DTD file to interpret data logged into the XML file. You can also load data files in your XML enabled web browser as shown in Figure 4-3.
Figure 4-3 The XML output file in Microsoft Internet Explorer.
Output Modules 149
There are a few things that you can do in Internet Explorer with XML documents. For example, if you want to hide the packet details, you can click on the hyphen charac-
ter; all details for the packet will be hidden and the hyphen character will be replaced by the plus character. This is shown in Figure 4-4. To display the details again, you can
click on the plus character.
Figure 4-4 Hiding details in Microsoft Internet Explorer.
150 Chapter 4 • Plugins, Preprocessors and Output Modules
The plus and the hyphen character can be clicked in all places on the XML docu- ment to hide or reveal details about a particular section of the XML document. For
more information on XML, you can consult any of the available texts or go to the XML web site at http:www.xml.org.
4.2.7 Logging to Databases
Databases are used with Snort to store log and alert data. Logging data to files in the disk is fine for smaller applications. However, keeping log data in disk files is not
appropriate when you have multiple Snort sensors or you want to keep historical data as well. Databases also allow you to analyze data generated by Snort sensors. For exam-
ple, if you want to find the top 15 alerts that are generated most frequently, you can use SQL statements for the database. Finding the same information from log files is diffi-
cult. Similarly, if you want to find the most active attackers in the month of November 2002, it is very easy to find out that information from a database.
You can use multiple types of databases with Snort including Oracle and MySQL. Using the database is discussed in detail in the next chapter. For the sake of complete-
ness of discussion about output modules, consider the following line.
output database: log, mysql, user=rr password=rr \ dbname=snort host=localhost
This line configures MySQL to be used as the database running on the same machine where Snort is running. All messages are logged to the database named “snort”
which you need to create manually before you can start using it. Snort will access this database using user name “rr” and password “rr”. Note that rr is not a UNIX user, it is a
database user. You have to create this user name and password yourself as well. Refer to Chapter 5 for details about how to configure MySQL database for use with Snort.
The general format for using the database is as follows:
output database: log | alert, database_type, \ parameter_list
The database type is mysql, postgressql, oracle and so on. List of parameters that can be used is shown in Table 4-2. Parameters are separated with a space character in
the configuration file snort.conf. Most of these parameters are optional.