I'm confused about snort outputs. Where are the output file(s) supposed to be specified?
OR, more specifically, I've got two files being written (alert and snort.log.xxx), but only have one output file specified (snort.log.xx) and am expecting only one output file (snort.log.xx).
Where's the alert file coming from?
As an aside, barnyard2 is not running at this time.
thanks in advance!
Details:
files being written are:
$ ls -la /var/snort/eth4
drwxrwxr-x+ 3 snort snort 4096 Oct 11 10:08 .
drwxr-xr-x. 3 snort snort 4096 Oct 11 10:03 ..
-rw-rw-r--+ 1 snort snort 12535192 Oct 11 10:22 alert <-
-rw-rw-r--+ 1 snort snort 1345798 Oct 9 03:28 alert-20111009.gz
-rw-rw-r--+ 1 snort snort 1488789 Oct 10 03:36 alert-20111010.gz
-rw-rw-r--+ 1 snort snort 1195682 Oct 11 03:40 alert-20111011.gz
drwxrwxr-x+ 2 snort snort 4096 Oct 11 03:40 archive
-rw-rw-r--+ 1 snort snort 357148 Oct 11 10:22 snort.log.1318356523 <-
But my /etc/snort/snort.conf only has one 'output' config directive:
output unified2: filename snort.log, limit 128
And since this is redhat, have to use both /etc/sysconfig/snort and /etc/init.d/snortd to figure out where the target '-l' is,
which I figure is:
/var/snort/eth4
here's the ps ax | grep snort
6851 ? Ssl 0:51 /usr/sbin/snort -A fast -b -d -D -I -i eth4 -u snort -g snort -c /etc/snort/snort.conf -l /var/snort/eth4
Examining the two files, alerts looks like an ascii list of analomies, and snort.log.xxx looks like a binary file, presumably of datastream capture?
so where's the alert file coming from?
Best Answer
The Snort application has a pretty robust logging subsystem. By enabling the
unified
log format you should, and are, seeing two types of logs:Both files are written to disk in binary format. While this makes it harder for the analyst to review, it is significantly faster for the application. For a little more, albeit not much, information the Snort Docs for the unified output plugin would be a worthwhile read.
If you want a raw text version of the triggered alerts, I would recommend the syslog output type. This is one of the more flexible, since it allows you to manage your logging on the host instead of the application. In addition, since you have the
-d
command line switch flipped, a capture of each packet that triggers an alert will be saved in pcap format. This still gives you good information to use in false positive analysis.