Home > Examining unified Snort output
Snort IDS tips for VARs and systems integrators:
EMAIL THIS

Examining unified Snort output

11 Jul 2007 | SearchSecurityChannel.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Let's take a look at unified output. We'll use a methodology similar to that in our last Snort Report, namely processing a saved Libpcap file that should trigger one alert. In order to enable unified output, we uncomment these entries in the snort.conf.2.6.1.4 file. (This is simply a renamed copy of the snort.conf that ships with Snort 2.6.1.4.)

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

Next we run Snort.

cel433:/usr/local/snort-2.6.1.4# bin/snort -c 
snort.conf.2.6.1.4 -r www.testmyids.com.lpc -l /tmp/so/unified/
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
...edited...
Action Stats:
ALERTS: 1
LOGGED: 1
PASSED: 0
...edited...
Snort exiting

Now the following exist in the specified log directory.

cel433:/tmp/so/unified# ls -al
total 8
drwxr-xr-x   2 root  wheel  512 Jun  1 15:47 .
drwxr-xr-x  11 root  wheel  512 Jun  1 15:41 ..
-rw-------   1 root  wheel   80 Jun  1 15:47 snort.alert.1180727255
-rw-------   1 root  wheel  420 Jun  1 15:47 snort.log.1180727255

Here are the contents of snort.alert.TIMESTAMP as rendered by hd(1).

Obviously we need help decoding the contents of this file!

Here are the contents of snort.log.TIMESTAMP as rendered by hd(1).

This file is also difficult to interpret, although the packet details are visible. Layer 7 content appears on line 0x80 with HTTP/1.1 and is easily recognized. Layer 2 content, starting with destination MAC address, starts at line 0x50 with 00 02 b3 0a cd 5e.

A look at the actual offending packet using TCPdump and its -XX switch reveals the same traffic:

Now that we have alerts and logs in unified format, the question becomes what do we do with them?


Working with unified output

 Introduction
 Examining unified output
 Unified output readers
 Barnyard processing alerts
 Barnyard processing logs
 Barnyard working with databases

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


HomeNewsTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogsEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts