Snort command line output modes

Snort command line output modes, as described here, are usually selected for testing purposes or demonstrations.

Command line output modes refer to situations where an operator activates a specific output option via a command line flag. Command line output options override any output selection present in the snort.conf file. When deployed in production, most operators designate an output method in their snort.conf file. Command line output modes are usually selected for testing purposes or demonstrations.

FAST mode

The first command line output mode is FAST mode. FAST writes a timestamp, alert generation identifier, alarm, and IP addresses and ports associated with an alert. FAST mode is activated by the -A fast switch. In this and all subsequent examples, I tell Snort to read a trace in Libpcap format called www.testmyids.com.lpc. I collected this trace while visiting www.testmyids.com, a simple Web site that triggers an "ATTACK-RESPONSES id check returned root" alert.

cel433:/usr/local/snort-2.6.1.4# bin/snort -c 
snort.conf.2.6.1.4 -r www.testmyids.com.lpc 
-l /tmp/so/fast -A fast
Running in IDS mode
...edited...
Snort exiting

In FAST mode Snort writes a text alert file and the packets that caused the alert in a file named snort.log.TIMESTAMP. Packet contents are written by default in Libpcap format. Older versions of Snort wrote packet contents to disk in ASCII format. I recommend always writing packet contents in Libpcap format, because this allows inspection by a variety of tools that understand Libpcap, like Wireshark.

In this and most subsequent examples I show the contents of the alert file. I also read the snort.log.TIMESTAMP file using TCPdump to show its contents.

cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/fast/
alert                   snort.log.1177523679

cel433:/usr/local/snort-2.6.1.4# cat /tmp/so/fast/alert 
04/24-15:50:29.236253  [**] [1:498:6]  
ATTACK-RESPONSES id check returned root [**] 
[Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} 82.165.50.118:80 -> 69.143.202.28:39929

cel433:/usr/local/snort-2.6.1.4# tcpdump -n 
-r /tmp/so/fast/snort.log.1177523679 reading from file 
/tmp/so/fast/snort.log.1177523679, link-type EN10MB (Ethernet)
15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: P 
3604239913:3604240199(286) ack 3547882099 win 6432

As you can see from the alert file and the packet contents, a packet from 82.165.50.118 port 80 TCP to 69.143.202.28 port 39929 TCP triggered Snort alert "ATTACK-RESPONSES id check returned root". The item [1:498:6] means the alert was created by generator 1, which is the Snort rule subsystem. In contrast, an alert generated by the Stream4 preprocessor would bear generator ID 111. A list of generator IDs can be found in the etc/generators file packaged with Snort. The event ID is indicated by 498. A mapping of event IDs to rules is located in the etc/sid-msg.map file. Finally, 6 indicates the sixth revision of the rule.

FULL mode

In FULL mode, Snort gives the same information found in FAST mode, with additional alert details as shown:

cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 
-r www.testmyids.com.lpc -l /tmp/so/full -A full
Running in IDS mode
...edited...
Snort exiting

Again, an alert file and snort.log.TIMESTAMP trace are created. Notice the new timestamp. Every invocation of Snort creates a file with a new timestamp.

cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/full
alert                   snort.log.1177523813

In FULL mode more offending packet details are present.

cel433:/usr/local/snort-2.6.1.4# cat /tmp/so/full/alert 
[**] [1:498:6] ATTACK-RESPONSES id check returned root 
[**][Classification: Potentially Bad Traffic] [Priority: 2] 
04/24-15:50:29.236253 82.165.50.118:80 -> 69.143.202.28:39929
TCP TTL:48 TOS:0x20 ID:52671 IpLen:20 DgmLen:326 DF
***AP*** Seq: 0xD6D45629  Ack: 0xD3786273  Win: 0x1920  TcpLen: 20

The same information is provided in the snort.log.TIMESTAMP trace.

cel433:/usr/local/snort-2.6.1.4# tcpdump -n -r 
/tmp/so/full/snort.log.1177523813 
reading from file /tmp/so/full/snort.log.1177523813, 
link-type EN10MB (Ethernet)
15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: P 
3604239913:3604240199(286) ack 3547882099 win 6432

CONSOLE mode

In CONSOLE mode, Snort writes alerts to the console. This mode is not for production use. I don't even use it for testing, because I'm likely to miss alerts as they scroll by.

cel433:/usr/local/snort-2.6.1.4# bin/snort 
-c snort.conf.2.6.1.4 -r www.testmyids.com.lpc 
-l /tmp/so/console -A console
Running in IDS mode
...edited...
04/24-15:50:29.236253  [**] [1:498:6] 
ATTACK-RESPONSES id check returned root [**] 
[Classification: Potentially Bad Traffic] [Priority: 2] 
{TCP} 82.165.50.118:80 -> 69.143.202.28:39929
...edited...
Snort exiting

No alert file is created. However, Snort writes a snort.log.TIMESTAMP trace.

cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/console
snort.log.1177524370
cel433:/usr/local/snort-2.6.1.4# tcpdump -n -r 
/tmp/so/console/snort.log.1177524370 reading from file 
/tmp/so/console/snort.log.1177524370, link-type 
EN10MB (Ethernet) 15:50:29.236253 IP 82.165.50.118.80 > 
69.143.202.28.39929: P 3604239913:3604240199(286) 
ack 3547882099 win 6432

CMG mode

CMG is a custom mode written by an early Snort developer. It writes the alert details of FULL mode and packet contents to screen. Here we can see the contents of the offending packet that has been triggering Snort.

cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 
-r www.testmyids.com.lpc -l /tmp/so/cmg -A cmg
Running in IDS mode
...edited...
04/24-15:50:29.236253  [**] [1:498:6] ATTACK-RESPONSES id check 
returned root [**] [Classification: Potentially Bad Traffic] 
[Priority: 2] {TCP} 82.165.50.118:80 -> 69.143.202.28:39929 
04/24-15:50:29.236253 0:1:5C:22:AA:C2 -> 0:2:B3:A:CD:5E 
type:0x800 len:0x154
82.165.50.118:80 -> 69.143.202.28:39929 TCP TTL:48 TOS:0x20 
ID:52671 IpLen:20 DgmLen:326 DF
***AP*** Seq: 0xD6D45629  Ack: 0xD3786273  Win: 0x1920  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 54 75 65 2C 20 32 34 20 41  .Date: Tue, 24 A
70 72 20 32 30 30 37 20 31 39 3A 35 30 3A 34 34  pr 2007 19:50:44
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 2F 31 2E 33 2E 33 33 20 28 55 6E 69  ache/1.3.33 (Uni
78 29 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 65  x)..Last-Modifie
64 3A 20 4D 6F 6E 2C 20 31 35 20 4A 61 6E 20 32  d: Mon, 15 Jan 2
30 30 37 20 32 33 3A 31 31 3A 35 35 20 47 4D 54  007 23:11:55 GMT
0D 0A 45 54 61 67 3A 20 22 39 62 33 30 36 30 37  ..ETag: "9b30607
2D 32 37 2D 34 35 61 63 30 61 33 62 22 0D 0A 41  -27-45ac0a3b"..A
63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 62 79  ccept-Ranges: by
74 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E  tes..Content-Len
67 74 68 3A 20 33 39 0D 0A 43 6F 6E 6E 65 63 74  gth: 39..Connect
69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74  ion: close..Cont
65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68  ent-Type: text/h
74 6D 6C 0D 0A 0D 0A 75 69 64 3D 30 28 72 6F 6F  tml....uid=0(roo
74 29 20 67 69 64 3D 30 28 72 6F 6F 74 29 20 67  t) gid=0(root) g
72 6F 75 70 73 3D 30 28 72 6F 6F 74 29 0A        roups=0(root).
...edited...
Snort exiting

In CMG mode, Snort does not write an alert file nor a snort.log.TIMESTAMP file. This mode is for testing purposes only.

cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/cmg/

NONE mode

When run in NONE mode, Snort logs no alerts. Snort will report if activity generated an alert, but it will not save that alert information, nor will it write the alerts to the console.

cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 
-r www.testmyids.com.lpc -l /tmp/so/none -A none
Running in IDS mode
...edited...
Action Stats:
ALERTS: 1
LOGGED: 1
PASSED: 0
...edited...
Snort exiting

Snort does save the offending packet in a snort.log.TIMESTAMP file, however.

cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/none
snort.log.1177524211
cel433:/usr/local/snort-2.6.1.4# tcpdump -n -r 
/tmp/so/none/snort.log.1177524211 
reading from file /tmp/so/none/snort.log.1177524211, 
link-type EN10MB (Ethernet)
15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: 
P 3604239913:3604240199(286) ack 3547882099 win 6432

CONSOLE -N

Snort can be explicitly told to not write offending packets to disk with the -N switch. In the following example, I invoke CONSOLE mode to write alerts to the screen, but disable creation of a snort.log.TIMESTAMP file.

cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 
-r www.testmyids.com.lpc -l /tmp/so/consolen -A console -N
Running in IDS mode
...edited...
04/24-15:50:29.236253  [**] [1:498:6] ATTACK-RESPONSES 
id check returned root [**] [Classification: Potentially Bad Traffic] 
[Priority: 2] {TCP} 82.165.50.118:80 -> 69.143.202.28:39929
...edited...
Action Stats:
ALERTS: 1
LOGGED: 1
PASSED: 0
...edited...
Snort exiting

Here the log directory is entry, thanks to -N.

cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/consolen/

SYSLOG

When called from the command line, SYSLOG mode sends alerts to the localhost Syslog server. The -s switch takes no arguments. The localhost needs to be running a Syslog server on port 514 UDP.

cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 -r 
www.testmyids.com.lpc -l /tmp/so/fullsyslog/ -s
Running in IDS mode
...edited...
snort.conf.2.6.1.4(798) => No arguments to alert_syslog preprocessor!
...edited...
Action Stats:
ALERTS: 1
LOGGED: 1
PASSED: 0
...edited...
Snort exiting

As you can see, Snort reported an error and mentioned the alert_syslog preprocessor. I reported this to Marty Roesch, who called it a "buglet." It has no effect on the desired outcome. The error message may be removed from future versions of Snort.

In SYSLOG mode, Snort writes an alert in FAST syntax to the auth.log file.

cel433:/usr/local/snort-2.6.1.4# grep snort /var/log/auth.log 
Apr 25 14:46:10 cel433 snort: [1:498:6] ATTACK-RESPONSES 
id check returned root [Classification: Potentially Bad Traffic] 
[Priority: 2]: {TCP} 82.165.50.118:80 -> 69.143.202.28:39929

Snort saves the offending packet in a snort.log.TIMESTAMP file, as is common with other modes. No alert file is created.

cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/fullsyslog/
snort.log.1177526766
cel433:/usr/local/snort-2.6.1.4# tcpdump -n -r 
/tmp/so/fullsyslog/snort.log.1177526766 
reading from file /tmp/so/fullsyslog/snort.log.1177526766, 
link-type EN10MB (Ethernet)
15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: P 
3604239913:3604240199(286) ack 3547882099 win 6432

Snort also supports writing to a Unix socket via the -A unsock option. This option is used by programs like FLop and QuIDScor. I recommend reading the documentation for those programs if you want to use the Unix socket, since it's not a common output method.

This concludes the command line output modes. Now we turn to some of the output options called from the snort.conf file.

Dig Deeper on MSP technology services

MicroScope
Security
Storage
Networking
Cloud Computing
Data Management
Business Analytics
Close