Output modules are new as of version 1.6. They allow Snort to be much more flexible in the formatting and presentation of output to its users. The output modules are run when the alert or logging subsystems of Snort are called, after the preprocessors and detection engine. The format of the directives in the rules file is very similar to that of the preprocessors.
Multiple output plugins may be specified in the Snort configuration file. When multiple plugins of the same type (log, alert) are specified, they are stacked and called in sequence when an event occurs. As with the standard logging and alerting systems, output plugins send their data to /var/log/snort by default or to a user directed directory (using the -l command line switch).
Output modules are loaded at runtime by specifying the output keyword in the rules file:
output <name>: <options>
This module sends alerts to the syslog facility (much like the -s command line switch). This module also allows the user to specify the logging facility and priority within the Snort rules file, giving users greater flexibility in logging alerts.
alert_syslog: <facility> <priority> <options>
NOTE
output alert_syslog: [host=<hostname[:<port>],] <facility> <priority> <options>
This will print Snort alerts in a quick one-line format to a specified output file. It is a faster alerting method than full alerts because it doesn't need to print all of the packet headers to the output file
alert_fast: <output filename>
This will print Snort alert messages with full packet headers. The alerts will be written in the default logging directory (/var/log/snort) or in the logging directory specified at the command line.
Inside the logging directory, a directory will be created per IP. These files will be decoded packet dumps of the packets that triggered the alerts. The creation of these files slows Snort down considerably. This output method is discouraged for all but the lightest traffic situations.
alert_full: <output filename>
Sets up a UNIX domain socket and sends alert reports to it. External programs/processes can listen in on this socket and receive Snort alert and packet data in real time. This is currently an experimental interface.
alert_unixsock
The log_tcpdump module logs packets to a tcpdump-formatted file. This is useful for performing post-process analysis on collected traffic with the vast number of tools that are available for examining tcpdump-formatted files. This module only takes a single argument: the name of the output file. Note that the file name will have the UNIX timestamp in seconds appended the file name. This is so that data from separate Snort runs can be kept distinct.
log_tcpdump: <output filename>
This module from Jed Pickel sends Snort data to a variety of SQL databases.
More information on installing and configuring this module can be
found on the [91]incident.org web page. The arguments to this
plugin are the name of the database to be logged to and a parameter
list. Parameters are specified with the format parameter = argument.
see Figure for example usage.
database: <log | alert>, <database type>, <parameter list>The following parameters are available:
There are five database types available in the current version of the plugin. These are mssql, mysql, postgresql, oracle, and odbc. Set the type to match the database you are using.
NOTE
The csv output plugin allows alert data to be written in a format easily importable to a database. The plugin requires 2 arguments: a full pathname to a file and the output formatting option.
The list of formatting options is below. If the formatting option is default, the output is in the order the formatting option is listed.
output alert_csv: <filename> <format>
The unified output plugin is designed to be the fastest possible method of logging Snort events. The unified output plugin logs events in binary format, allowing another programs to handle complex logging mechanisms that would otherwise diminish the performance of Snort.
The name unified is a misnomer, as the unified output plugin creates two different files, an alert file, and a log file. The alert file contains the high-level details of an event (eg: IPs, protocol, port, message id). The log file contains the detailed packet information (a packet dump with the associated event ID). Both file types are written in a bimary format described in spo_unified.h.
NOTE
output alert_unified: <base file name> [, <limit <file size limit in MB>] output log_unified: <base file name> [, <limit <file size limit in MB>]
Sometimes it is useful to be able to create rules that will alert to certain types of traffic but will not cause packet log entries. In Snort 1.8.2, the log_null plugin was introduced. This is equivalent to using the -n command line option but it is able to work within a ruletype.
output log_null