Snort Alert Modes

67

Approximate round trip times in milli seconds:

    Minimum = 3ms, Maximum = 3ms, Average = 3ms

C:\rrehman>

The   n 1  command line option is used to send only one ICMP packet. The

  i 100  option is used to set the TTL value equal to 100 in the ICMP packet. For

details on the format of ICMP packet headers, refer to RFC 792 at ftp://ftp.isi.edu/in 

notes/rfc792.txt or Appendix C.

Whenever this command is executed, Snort captures the ICMP packet and creates

an alert. The amount of information logged with the alert depends on the particular

alerting mode. Now let us see how different alerting modes work on a packet. 

2.8.1

Fast Mode

The fast alert mode logs the alert with following information:

  Timestamp

  Alert message (configurable through rules)

  Source and destination IP addresses

  Source and destination ports

To configure fast alert mode, you have to use   A fast  command line option.

This alert mode causes less overhead for the system. The following command starts

Snort in fast alert mode:

/opt/snort/bin/snort  c /opt/snort/etc/snort.conf  q  A fast

The  q option used on the command line stops the initial messages and final sta 

tistical summary from being displayed on the screen. Now when you create an alert, it

will be logged in /var/log/snort/alert file. However, you can change the loca 

tion of this file using  l command line option. The alert message is similar to the fol 

lowing:

05/28 22:16:25.126150  [**] [1:0:0] Ping with TTL=100 [**] 

{ICMP} 192.168.1.100  > 192.168.1.3

This alert message shows the following information:

  Date and time the alert occurred.

  Message present in the rule that generated this alert. In this example, the

message is  Ping with TTL=100 .

  Source address which is 192.168.1.100.