Snort Alert Modes 69

2.8.4 No Alert Mode

You can also completely disable Snort alerts using “ -A none” command line option. This option is very useful for high speed intrusion detection using unified log- ging. You can disable normal logging using this option while using the unified option. Unified output plug-in is discussed in Chapter 4.

2.8.5 Sending Alerts to Syslog

This command allows Snort to send alerts to Syslog daemon. Syslog is a system logger daemon and it generates log files for system events. It reads its configuration file etcsyslog.conf where the location of these log files is configured. The usual location of syslog files is varlog directory. On Linux systems, usually var logmessages is the main logging file. For more information, use the “man sys- log” command. The “man syslog.conf” command shows the format of the sys- log.conf file. Depending on the configuration of the Syslog using etcsyslog.conf file, the alerts can be saved into a particular file. The following command enables Snort to log to the Syslog daemon: optsnortbinsnort -c optsnortetcsnort.conf -s Using the default configuration on my RedHat 7.1 computer, the messages are logged to varlogmessages file. When you cause an alert message by sending the special ICMP packet with TTL=100, the following line will be logged to the var logmessages file. May 28 22:21:02 snort snort[1750]: [1:0:0] Ping with TTL=100 {ICMP} 192.168.1.100 - 192.168.1.3 Using Syslog facility will be discussed in Chapter 4 later on in this book. You will also learn how to enable logging to Syslog using the output plug-in.

2.8.6 Sending Alerts to SNMP

One very useful feature of Snort is SNMP traps. You can configure an output plug-in to send messages in the form of SNMP traps to a network management system. Using this feature you can integrate your intrusion detection sensors into any central- ized NMS like HP OpenView, OpenNMS, MRTG and so on. Snort can generate SNMP version 2 and version 3 traps. The configuration process for SNMP traps will be dis- cussed later on in detail. 70 Chapter 2 • Installing Snort and Getting Started

2.8.7 Sending Alerts to Windows

Snort can send alerts to Microsoft Windows machines in the form of pop-up windows. These pop-up windows are controlled by Windows Messenger Service. Windows Messenger Service must be running on your Windows machine for pop-up windows to work. You can go to Control Panel and start the Services applet to find out if Windows Messenger Service is running. The Services applet is found in the Administrative Tools menu on your Windows system. Depending on your version of Microsoft Windows, it may be found in Control Panel or some other place. The SAMBA client package must be installed on your UNIX machine. SAMBA is an open source software suite that allows UNIX file and printer sharing with Microsoft Windows machines. SAMBA software runs on UNIX platforms. It can work with any other operating sys- tem that understands Common Internet File System CIFS or Server Message Block SMB protocol. More information about SAMBA is available from http:www.samba.org. The Snort alert mechanism uses smbclient program on the UNIX machine to connect to the Windows machines and send the alerts. Make sure that the SAMBA client is working prop- erly before trying to use this service. SAMBA operations are dependent upon its configuration file etcsambasmb.conf on a RedHat system. This file may be located at a different place on other UNIX systems. Although detailed discussion on SAMBA is beyond the scope of this book, a sample SAMBA configuration file is listed below. This file can be used to jump start SAMBA. The file creates a workgroup REHMAN which you can view from “Network Neighborhood” part of your Windows machines.

2.8.7.1 Sample Samba Configuration File

A sample etcsambasmb.conf file is as follows: [global] workgroup = REHMAN server string = REHMAN file server log file = varlogsambalog.m max log size = 50 security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no domain logons = no unix password sync = no map to guest = never password level = 0 null passwords = no os level = 0 preferred master = yes domain master = yes wins support = yes dead time = 0