Snorts output facilities

Snort basically has two ways to spit out data. The Snort developers identify these with the technical sounding term output facilities instead of the more colloquial data spitters. You can tell Snort to

1 Alert you when an attack is happening, complete with information on

• Where to find more information about the attack 1 Log the actual packets of the attack, showing

• MAC addresses

• Packet payload

Usually, Snort can simultaneously send alerts and log data.

The alert facility

The alert facility is used by Snort to tell you when the network traffic matches the criteria defined in a rule. Well, okay, it won't grab you by the ears and yell, "You're getting hacked!" But here's an example of what it might say (all names and IP addresses have been changed to protect the innocent, not to mention the less-than-innocent):

01/20-22:34:35.218093 [**] [1:469:1] ICMP PING NMAP [**] [Classification:

Attempted Information Leak] [Priority: 2] {ICMP} 192.168.1.68 -> 172.16.34.18

This is your Snort box telling you that someone out there is using nmap, a network-security scanning tool, to ping your system — a sure sign that a port scan will shortly follow!

The preceding code says more than "You're getting pinged." In addition to a few jazzy asterisks, it includes

1 Date and time (including the microsecond appended to the second itself)

1 The SID (Snort ID), an identifier indicating which rule was tripped. This is written in the following format:

[sig_generator:sig_id:sig_revision]

• sig_generator indicates which part of Snort generated the alert

• sig_id is the Snort signature ID, which indicates which rule was tripped

• sig_revision is the revision number of this rule 1 A brief text message

1 Classification and priority of the attack 1 The protocol of the packet that tripped the rule 1 Source and destination IP addresses involved

Whew, that's a lot! And that's just for the alert_fast output module, which prints a minimum of information. Other modules will print the MAC addresses, TCP flags, or even the packet payload in ASCII or hex. The options aren't limitless, but Snort can print enough detail to satisfy even the most hardcore wire head.

The log facility

The log facility doesn't sound any alarms. It quietly logs all of the packet information relevant to this particular attack. There are times when you may want to log attack data without generating alerts. For example, running Snort as a souped-up packet sniffer. Here's the same Nmap ping logged by the logging facility. It shows the details of the port scan to port 80 as well:

01/14-19:42:03.114656 0:10:67:0:B2:50 -> 0:A0:CC:D2:10:31 type:0x800 len:0x3C 192.168.1.68 -> 172.16.34.18 ICMP TTL:37 TOS:0x0 ID:44936 IpLen:20 DgmLen:28

Type:8 Code:0 ID:13988 Seq:7720 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/14-19:42:03.114717 0:A0:CC:D2:10:31 -> 0:10:67:0:B2:50 type:0x800 len:0x2A 172.16.34.18 -> 192.168.1.68 ICMP TTL:255 TOS:0x0 ID:2734 IpLen:20 DgmLen:28

Type:0 Code:0 ID:13988 Seq:7720 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/14-19:42:03.115157 0:10:67:0:B2:50 -> 0:A0:CC:D2:10:31 type:0x800 len:0x3C 192.168.1.68:50488 -> 172.16.34.18:80 TCP TTL:36 TOS:0x0 ID:3836 IpLen:20 DgmLen:40

***A**** Seq: 0x3C4A079E Ack: 0x498A079E Win: 0x800 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/14-19:42:03.115194 0:A0:CC:D2:10:31 -> 0:10:67:0:B2:50 type:0x800 len:0x36 172.16.34.18:80 -> 192.168.1.68:50488 TCP TTL:255 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF

*****r** Seq: 0x498A079E Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/14-19:42:03.420876 0:10:67:0:B2:50 -> 0:A0:CC:D2:10:31 type:0x800 len:0x3C 192.168.1.68:50468 -> 172.16.34.18:80 TCP TTL:41 TOS:0x0 ID:64826 IpLen:20 DgmLen:40

******S* Seq: 0x6E30F501 Ack: 0x0 Win: 0xC00 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/14-19:42:03.420964 0:A0:CC:D2:10:31 -> 0:10:67:0:B2:50 type:0x800 len:0x3A 172.16.34.18:80 -> 192.168.1.68:50468 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:44 DF

***A**s* Seq: 0xAC878D4E Ack: 0x6E30F502 Win: 0x16D0 TcpLen: 24

TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/14-19:42:03.459314 0:10:67:0:B2:50 -> 0:A0:CC:D2:10:31 type:0x800 len:0x3C 192.168.1.68:50468 -> 172.16.34.18:80 TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF

*****r** Seq: 0x6E30F502 Ack: 0x0 Win: 0x0 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

If you'll run Snort as an Intrusion Detection System, you need to generate alerts. Most of the time you'll want to log relevant packet information as well so you can trace the steps of an attack packet by packet.

Was this article helpful?

0 0

Post a comment