specifying snort output files?

Question

I'm confused about snort outputs. Where are the output file(s) supposed to be specified?

OR, more specifically, I've got two files being written (alert and snort.log.xxx), but only have one output file specified (snort.log.xx) and am expecting only one output file (snort.log.xx).

Where's the alert file coming from?

As an aside, barnyard2 is not running at this time.

thanks in advance!

Details:

files being written are:

$ ls -la /var/snort/eth4

drwxrwxr-x+ 3 snort snort     4096 Oct 11 10:08 .
drwxr-xr-x. 3 snort snort     4096 Oct 11 10:03 ..
-rw-rw-r--+ 1 snort snort 12535192 Oct 11 10:22 alert                 <-
-rw-rw-r--+ 1 snort snort  1345798 Oct  9 03:28 alert-20111009.gz
-rw-rw-r--+ 1 snort snort  1488789 Oct 10 03:36 alert-20111010.gz
-rw-rw-r--+ 1 snort snort  1195682 Oct 11 03:40 alert-20111011.gz
drwxrwxr-x+ 2 snort snort     4096 Oct 11 03:40 archive
-rw-rw-r--+ 1 snort snort   357148 Oct 11 10:22 snort.log.1318356523  <-

But my /etc/snort/snort.conf only has one 'output' config directive:

   output unified2: filename snort.log, limit 128

And since this is redhat, have to use both /etc/sysconfig/snort and /etc/init.d/snortd to figure out where the target '-l' is, which I figure is:

/var/snort/eth4

here's the ps ax | grep snort

6851 ?        Ssl    0:51 /usr/sbin/snort -A fast -b -d -D -I -i eth4 -u snort -g snort -c /etc/snort/snort.conf -l /var/snort/eth4

Examining the two files, alerts looks like an ascii list of analomies, and snort.log.xxx looks like a binary file, presumably of datastream capture?

so where's the alert file coming from?

what's in the alert file? Tried tailing it/both and triggering alerts? — gravyface, Oct 11 '11 at 22:45

score 4 · Answer 1 · answered Oct 12 '11 at 02:54

The Snort application has a pretty robust logging subsystem. By enabling the unified log format you should, and are, seeing two types of logs:

alert file - contains high level information regarding the event
log file - contains much more detailed information including a packet dump

Both files are written to disk in binary format. While this makes it harder for the analyst to review, it is significantly faster for the application. For a little more, albeit not much, information the Snort Docs for the unified output plugin would be a worthwhile read.

If you want a raw text version of the triggered alerts, I would recommend the syslog output type. This is one of the more flexible, since it allows you to manage your logging on the host instead of the application. In addition, since you have the -d command line switch flipped, a capture of each packet that triggers an alert will be saved in pcap format. This still gives you good information to use in false positive analysis.

score 1 · Answer 2 · answered Oct 12 '11 at 03:16

1

The alert file logs the alerts when a captured packet matches a rule. It comes from... -A fast which you specify when starting Snort.

answered Oct 12 '11 at 03:16

quanta

50,327
19
152
213

So, from this (and from some other googling) I'm guessing that the name of the alerts file is always and forever will be 'alert' or 'alert_'. That's just what it is. So there is no config spec for the name of the alerts file. Is this correct? – user52874 Oct 12 '11 at 17:11

specifying snort output files?

2 Answers2