140 Chapter 4 • Plugins, Preprocessors and Output Modules N O T E In addition to the above line, you also need to configure MySQL database and create tables. Discussion about this process is the subject of the next chapter. Another example of using output modules is as follows. This line in the snort.conf file will cause alerts to be sent as SMB pop-up windows to a list of hosts located in the workstation.list file. output alert_smb: workstation.list Sometimes you may want to send alerts to multiple locations. Defining your own action using the ruletype keyword is a good idea. For example, the following lines in the snort.conf file will define an action type called “smb_db_alert” that will cause alerts to be sent to both the database and SMB pop-up windows for rules that use this action type. ruletype smb_db_alert { type alert output alert_smb: workstation.list output database: log, mysql, user=rr password=rr \ dbname=snort host=localhost } The following rule uses this new action type. Alerts generated by this rule will go to MySQL database as well as to the Windows machine in the form of pop-up windows. smb_db_alert icmp any any - 192.168.1.024 any \ fragbits: D; msg: Dont Fragment bit set; You can also use command line options with some output modules. For example, you can use -s option to log alerts to Syslog.

4.2.1 The alert_syslog Output Module

Syslog is a system logging daemon available on almost all UNIX systems. It uses a configuration file etcsyslog.conf where you can define different parameters to determine what happens when a message for a defined facility is received. A detailed discussion of Syslog is beyond the scope of this book and you should refer to the man- ual pages of syslogd and syslog.conf. The alert_syslog module allows you to send alerts to the syslog facility. The Syslog daemon can also be used to forward alerts to some other host as well if you need centralized logging. The following is the general format for using this module. output alert_syslog: facility priority options Output Modules 141 Facility names that can be used with this module are: • LOG_AUTH • LOG_AUTHPRIV • LOG_DAEMON • LOG_LOCAL0 • LOG_LOCAL1 • LOG_LOCAL2 • LOG_LOCAL3 • LOG_LOCAL4 • LOG_LOCAL5 • LOG_LOCAL6 • LOG_LOCAL7 • LOG_USER Priorities that are available with this module are: • LOG_EMERG • LOG_ALERT • LOG_CRIT • LOG_ERR • LOG_WARNING • LOG_NOTICE • LOG_INFO • LOG_DEBUG Note that LOG_EMERG is the highest priority and LOG_DEBUG is the lowest priority. Options that you can use with this module are: • LOG_CONS • LOG_NDELAY • LOG_PERROR • LOG_PID Note that you have to configure Syslog daemon on your host to properly utilize this module. On Linux systems, read the manual pages for sysklogd for a detailed dis- cussion of how to configure and use the daemon. The configuration is done through the