154
Chapter 4 Plugins, Preprocessors and Output Modules
output alert_unified: filename unified_alert, limit 50
output log_unified: filename unified_log, limit 200
If no path is specified, the files are created in /var/log/snort directory. In
the above example, the alert file will not grow more than 50 MBytes and the maximum
size of the log file will be 200 MBytes. The number of seconds as returned by the time()
function are added at the end of file name so that when you restart Snort, new files are
created. Some typical names for alert and log files are:
unified_alert.1039992424
unified_log.1039992424
Unified log files are in binary format and you can use utilities to view these. For
simple hexadecimal display, you can use the hexdump utility on Linux. Barnyard is
another tool for this purpose. Refer to the Barnyard web site at http://sourceforge.net/
projects/barnyard/. This tool is discussed in Chapter 6 also.
4.2.10 SNMP Traps Output Module
The SNMP traps output module is very useful to send alerts as SNMP traps to a
centrally managed network operations center. Snort SNMP output module can generate
both SNMPv2 and SNMPv3 traps. The general format of SNMPv2 trap is as follows:
output trap_snmp: alert, , {trap|inform} \
v p
The following line sends SNMP version 2C traps to host 192.168.1.3 on port 162,
which is the standard port for SNMP traps. The community name used is public .
output trap_snmp: alert, 8, trap v 2c p 162 \
192.168.1.3 public
You should modify community to a different string. Public is the default com
munity name and is known to everyone in the SNMP world. Refer to the example lines
provided in snort.conf file for SNMP version 3 traps.
To enable SNMP support in Snort, you have to compile it into Snort at the time
you run the configure script. The following configure script command line can be used
for this purpose.
./configure prefix=/opt/snort with snmp with openssl
You also need to compile OpenSSL support in Snort. Refer to Chapter 2 for more
information about how to build Snort.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved