Output Modules 151 To enable support of databases, you need to compile Snort with database support enabled. The following configure script enables MySQL database support in Snort. .configure --prefix=optsnort --with-mysql=usrlibmysql Refer to Chapter 2 for details on how to build Snort.

4.2.8 CSV Output Module

Comma-separated text files are sometimes useful when you want to import data into other software packages like databases and spreadsheets, e.g., Microsoft Excel. Using the CSV output module, you can save output data to a CSV file. The general for- mat of the CSV file is as follows: output csv: filename formatting_options The file is created in the logging directory which is varlogsnort by default. Formatting options are used to define what information should be stored in the CSV file and in what order. If you use the keyword “ default” in the formatting option, all parameters about the alert are stored in the file. output csv: csv_log default Table 4-2 List of Parameters for the Database Parameter Description host Host where database server is running. port Port number used by the database server. dbname Name of the database. user Name of the database user. password Password for the user. If you don’t want to use a password, you can omit this param- eter a bad idea. sensor_name Name of the sensor used by Snort. This is useful when many Snort sensors are log- ging to the database and later on you want to know which alert is related to a partic- ular sensor. This name is also used by tools like ACID to distinguish different sensors. detail You can use either full or fast detail. By default full detail is saved to the database. encoding You can use ASCII, hex, or base64 encoding for data. 152 Chapter 4 • Plugins, Preprocessors and Output Modules The output file generated after using this line in snort.conf file is something like the following: 0723-18:24:03.388106 ,ICMP Packet with TTL=100,ICMP,192.168.1.100,,192.168.1.2,,0:2:3F:33:C6:98,0:E0:29:89: 28:59,0x4A,,,,,,100,0,51367,60,20,8,0,, 0723-18:25:51.608106 ,GET matched,TCP,192.168.1.2,1060,192.168.10.193,,0:E0:29:89:28:59,0:6:25 :5B:29:ED,0x189,AP,0x55BCF404,0x8CBF42DD,,0x16D0,64,0,35580,37 9,20,,,, 0723-18:25:52.008106 ,GET matched,TCP,192.168.1.2,1061,192.168.10.193,,0:E0:29:89:28:59,0:6:25 :5B:29:ED,0x1D0,AP,0x55628967,0x8D33FB74,,0x16D0,64,0,63049,45 0,20,,,, 0723-18:25:52.478106 ,GET matched,TCP,192.168.1.2,1061,192.168.10.193,,0:E0:29:89:28:59,0:6:25 :5B:29:ED,0x1D0,AP,0x55628B01,0x8D33FC1B,,0x1920,64,0,63051,45 0,20,,,, 0723-18:25:52.708106 ,GET matched,TCP,192.168.1.2,1061,192.168.10.193,,0:E0:29:89:28:59,0:6:25 :5B:29:ED,0x1EF,AP,0x55628C9B,0x8D33FCC1,,0x1D50,64,0,63053,48 1,20,,,, Each line in the output consists of fields as listed in Table 4-3. Table 4-3 CSV Options Name Description Timestamp Time stamp including date and time. Msg Message which is taken from the msg option of the rule. Proto Protocol. Src Source IP address. Srcport Source port number. No port number is present in ICMP packets. Dst Destination IP address. Dstport Destination port. ethsrc Source Ethernet address. ethdst Destination Ethernet address. ethlen Length of Ethernet frame. tcpflags If the protocol is TCP, this part contains TCP flags. tcpseq TCP sequence number in TCP packets. tcpack TCP acknowledgement number. Output Modules 153 You can use only a few of these options in the CSV file as required. The following line in snort.conf will record only timestamp, msg, source, and destination IP addresses. output csv: csv_log timestamp,msg,src,dst The log entries will look like the following: 0723-19:31:27.128106 ,GET matched,192.168.1.2,192.168.10.193 0723-19:31:27.278106 ,GET matched,192.168.1.2,192.168.10.193

4.2.9 Unified Logging Output Module

Unified output is good for high-speed logging. You can have alerts and logs going into separate files. The general format of these modules is as follows: output alert_unified: filename alert_file, \ limit max_size output log_unified: filename log_file, \ limit max_size The size of the file is expressed in Mbytes. You should enable both alert and log files to keep a complete record of data because the alert file does not contain detailed information about the packets. The following is an example of enabling unified output from Snort. These two lines in the snort.conf file enable unified output. tcplen TCP length. tcpwindow TCP window size. ttl TTL value in the IP header. tos Type of Service field of IP header. id Packet ID. dgmlen Datagram length. iplen Length part in the IP header. icmptype Type field in ICMP header. icmpcode Code part in ICMP header. icmpid ID part of ICMP header. icmpseq ICMP sequence. Table 4-3 CSV Options continued Name Description 154 Chapter 4 • Plugins, Preprocessors and Output Modules output alert_unified: filename unified_alert, limit 50 output log_unified: filename unified_log, limit 200 If no path is specified, the files are created in varlogsnort directory. In the above example, the alert file will not grow more than 50 MBytes and the maximum size of the log file will be 200 MBytes. The number of seconds as returned by the time function are added at the end of file name so that when you restart Snort, new files are created. Some typical names for alert and log files are: unified_alert.1039992424 unified_log.1039992424 Unified log files are in binary format and you can use utilities to view these. For simple hexadecimal display, you can use the hexdump utility on Linux. Barnyard is another tool for this purpose. Refer to the Barnyard web site at http:sourceforge.net projectsbarnyard. This tool is discussed in Chapter 6 also.

4.2.10 SNMP Traps Output Module

The SNMP traps output module is very useful to send alerts as SNMP traps to a centrally managed network operations center. Snort SNMP output module can generate both SNMPv2 and SNMPv3 traps. The general format of SNMPv2 trap is as follows: output trap_snmp: alert, sensor_ID, {trap|inform} \ -v snmp_version -p port_number hostname community The following line sends SNMP version 2C traps to host 192.168.1.3 on port 162, which is the standard port for SNMP traps. The community name used is “public”. output trap_snmp: alert, 8, trap -v 2c -p 162 \ 192.168.1.3 public You should modify community to a different string. “Public” is the default com- munity name and is known to everyone in the SNMP world. Refer to the example lines provided in snort.conf file for SNMP version 3 traps. To enable SNMP support in Snort, you have to compile it into Snort at the time you run the configure script. The following configure script command line can be used for this purpose. .configure --prefix=optsnort --with-snmp --with-openssl You also need to compile OpenSSL support in Snort. Refer to Chapter 2 for more information about how to build Snort.