Output Modules

139

preprocessor arpspoof_detect_host: 192.168.1.13 \

   34:45:fd:3e:a2:01

If in any ARP packet these two addresses don't match, an alert will be generated.

You can use multiple lines in the configuration file to create many similar pairs.

4.2 Output Modules

Output modules are used to control the output from Snort detection engine. By default,

the output from alerts and logs go into files in the /var/log/snort directory. Using

output modules, you can process output and send output messages a number of other

destinations. Commonly used output modules are:

  The database module is used to store Snort output data in databases.

  The SNMP module can be used to send Snort alerts in the form of traps to a

management server.

  The SMB alerts module can send alerts to Microsoft Windows machines in the

form of pop up SMB alert windows.

  The syslog module logs messages to the syslog utility. Using this module you

can log messages to a centralized logging server.

  You can also use XML or CSV modules to save data in XML or comma

separated files. The CSV files can then be imported into databases or

spreadsheet software for further processing or analysis.

Output modules can be defined in the Snort configuration file and some of them

can also be configured on the command line as well. The general format for defining

the output module inside the configuration file is as follows:

output [: arguments]

For example, if you want to log messages to MySQL database called  snort  using

database user name  rr  and password  rr  located on the same machine where Snort is

running, you use the following line in snort.conf file.

output database: log, mysql, user=rr password=rr \

   dbname=snort host=localhost

However  when you use an output module in the configuration file, alerts will not

go into the alert file. Once you place this line in the snort.conf file, all alerts will go

into the MySQL database. There are ways to send alerts to multiple destinations.