Snort command line output modes
Snort command line output modes, as described here, are usually selected for testing purposes or demonstrations.
Command line output modes refer to situations where an operator activates a specific output option via a command line flag. Command line output options override any output selection present in the snort.conf file. When deployed in production, most operators designate an output method in their snort.conf file. Command line output modes are usually selected for testing purposes or demonstrations.
FAST mode
The first command line output mode is FAST mode. FAST writes a timestamp, alert generation identifier, alarm, and IP addresses and ports associated with an alert. FAST mode is activated by the -A fast switch. In this and all subsequent examples, I tell Snort to read a trace in Libpcap format called www.testmyids.com.lpc. I collected this trace while visiting www.testmyids.com, a simple Web site that triggers an "ATTACK-RESPONSES id check returned root" alert.
cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 -r www.testmyids.com.lpc -l /tmp/so/fast -A fast Running in IDS mode ...edited... Snort exiting
In FAST mode Snort writes a text alert file and the packets that caused the alert in a file named snort.log.TIMESTAMP. Packet contents are written by default in Libpcap format. Older versions of Snort wrote packet contents to disk in ASCII format. I recommend always writing packet contents in Libpcap format, because this allows inspection by a variety of tools that understand Libpcap, like Wireshark.
In this and most subsequent examples I show the contents of the alert file. I also read the snort.log.TIMESTAMP file using TCPdump to show its contents.
cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/fast/
alert snort.log.1177523679
cel433:/usr/local/snort-2.6.1.4# cat /tmp/so/fast/alert
04/24-15:50:29.236253 [**] [1:498:6]
ATTACK-RESPONSES id check returned root [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} 82.165.50.118:80 -> 69.143.202.28:39929
cel433:/usr/local/snort-2.6.1.4# tcpdump -n
-r /tmp/so/fast/snort.log.1177523679 reading from file
/tmp/so/fast/snort.log.1177523679, link-type EN10MB (Ethernet)
15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: P
3604239913:3604240199(286) ack 3547882099 win 6432
As you can see from the alert file and the packet contents, a packet from 82.165.50.118 port 80 TCP to 69.143.202.28 port 39929 TCP triggered Snort alert "ATTACK-RESPONSES id check returned root". The item [1:498:6] means the alert was created by generator 1, which is the Snort rule subsystem. In contrast, an alert generated by the Stream4 preprocessor would bear generator ID 111. A list of generator IDs can be found in the etc/generators file packaged with Snort. The event ID is indicated by 498. A mapping of event IDs to rules is located in the etc/sid-msg.map file. Finally, 6 indicates the sixth revision of the rule.
FULL mode
In FULL mode, Snort gives the same information found in FAST mode, with additional alert details as shown:
cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 -r www.testmyids.com.lpc -l /tmp/so/full -A full Running in IDS mode ...edited... Snort exiting
Again, an alert file and snort.log.TIMESTAMP trace are created. Notice the new timestamp. Every invocation of Snort creates a file with a new timestamp.
cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/full alert snort.log.1177523813
In FULL mode more offending packet details are present.
cel433:/usr/local/snort-2.6.1.4# cat /tmp/so/full/alert [**] [1:498:6] ATTACK-RESPONSES id check returned root [**][Classification: Potentially Bad Traffic] [Priority: 2] 04/24-15:50:29.236253 82.165.50.118:80 -> 69.143.202.28:39929 TCP TTL:48 TOS:0x20 ID:52671 IpLen:20 DgmLen:326 DF ***AP*** Seq: 0xD6D45629 Ack: 0xD3786273 Win: 0x1920 TcpLen: 20
The same information is provided in the snort.log.TIMESTAMP trace.
cel433:/usr/local/snort-2.6.1.4# tcpdump -n -r /tmp/so/full/snort.log.1177523813 reading from file /tmp/so/full/snort.log.1177523813, link-type EN10MB (Ethernet) 15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: P 3604239913:3604240199(286) ack 3547882099 win 6432
CONSOLE mode
In CONSOLE mode, Snort writes alerts to the console. This mode is not for production use. I don't even use it for testing, because I'm likely to miss alerts as they scroll by.
cel433:/usr/local/snort-2.6.1.4# bin/snort
-c snort.conf.2.6.1.4 -r www.testmyids.com.lpc
-l /tmp/so/console -A console
Running in IDS mode
...edited...
04/24-15:50:29.236253 [**] [1:498:6]
ATTACK-RESPONSES id check returned root [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} 82.165.50.118:80 -> 69.143.202.28:39929
...edited...
Snort exiting
No alert file is created. However, Snort writes a snort.log.TIMESTAMP trace.
cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/console snort.log.1177524370 cel433:/usr/local/snort-2.6.1.4# tcpdump -n -r /tmp/so/console/snort.log.1177524370 reading from file /tmp/so/console/snort.log.1177524370, link-type EN10MB (Ethernet) 15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: P 3604239913:3604240199(286) ack 3547882099 win 6432
CMG mode
CMG is a custom mode written by an early Snort developer. It writes the alert details of FULL mode and packet contents to screen. Here we can see the contents of the offending packet that has been triggering Snort.
cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4
-r www.testmyids.com.lpc -l /tmp/so/cmg -A cmg
Running in IDS mode
...edited...
04/24-15:50:29.236253 [**] [1:498:6] ATTACK-RESPONSES id check
returned root [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 82.165.50.118:80 -> 69.143.202.28:39929
04/24-15:50:29.236253 0:1:5C:22:AA:C2 -> 0:2:B3:A:CD:5E
type:0x800 len:0x154
82.165.50.118:80 -> 69.143.202.28:39929 TCP TTL:48 TOS:0x20
ID:52671 IpLen:20 DgmLen:326 DF
***AP*** Seq: 0xD6D45629 Ack: 0xD3786273 Win: 0x1920 TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 54 75 65 2C 20 32 34 20 41 .Date: Tue, 24 A
70 72 20 32 30 30 37 20 31 39 3A 35 30 3A 34 34 pr 2007 19:50:44
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap
61 63 68 65 2F 31 2E 33 2E 33 33 20 28 55 6E 69 ache/1.3.33 (Uni
78 29 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 65 x)..Last-Modifie
64 3A 20 4D 6F 6E 2C 20 31 35 20 4A 61 6E 20 32 d: Mon, 15 Jan 2
30 30 37 20 32 33 3A 31 31 3A 35 35 20 47 4D 54 007 23:11:55 GMT
0D 0A 45 54 61 67 3A 20 22 39 62 33 30 36 30 37 ..ETag: "9b30607
2D 32 37 2D 34 35 61 63 30 61 33 62 22 0D 0A 41 -27-45ac0a3b"..A
63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 62 79 ccept-Ranges: by
74 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E tes..Content-Len
67 74 68 3A 20 33 39 0D 0A 43 6F 6E 6E 65 63 74 gth: 39..Connect
69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 ion: close..Cont
65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 ent-Type: text/h
74 6D 6C 0D 0A 0D 0A 75 69 64 3D 30 28 72 6F 6F tml....uid=0(roo
74 29 20 67 69 64 3D 30 28 72 6F 6F 74 29 20 67 t) gid=0(root) g
72 6F 75 70 73 3D 30 28 72 6F 6F 74 29 0A roups=0(root).
...edited...
Snort exiting
In CMG mode, Snort does not write an alert file nor a snort.log.TIMESTAMP file. This mode is for testing purposes only.
cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/cmg/
NONE mode
When run in NONE mode, Snort logs no alerts. Snort will report if activity generated an alert, but it will not save that alert information, nor will it write the alerts to the console.
cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 -r www.testmyids.com.lpc -l /tmp/so/none -A none Running in IDS mode ...edited... Action Stats: ALERTS: 1 LOGGED: 1 PASSED: 0 ...edited... Snort exiting
Snort does save the offending packet in a snort.log.TIMESTAMP file, however.
cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/none snort.log.1177524211 cel433:/usr/local/snort-2.6.1.4# tcpdump -n -r /tmp/so/none/snort.log.1177524211 reading from file /tmp/so/none/snort.log.1177524211, link-type EN10MB (Ethernet) 15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: P 3604239913:3604240199(286) ack 3547882099 win 6432
CONSOLE -N
Snort can be explicitly told to not write offending packets to disk with the -N switch. In the following example, I invoke CONSOLE mode to write alerts to the screen, but disable creation of a snort.log.TIMESTAMP file.
cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4
-r www.testmyids.com.lpc -l /tmp/so/consolen -A console -N
Running in IDS mode
...edited...
04/24-15:50:29.236253 [**] [1:498:6] ATTACK-RESPONSES
id check returned root [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 82.165.50.118:80 -> 69.143.202.28:39929
...edited...
Action Stats:
ALERTS: 1
LOGGED: 1
PASSED: 0
...edited...
Snort exiting
Here the log directory is entry, thanks to -N.
cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/consolen/
SYSLOG
When called from the command line, SYSLOG mode sends alerts to the localhost Syslog server. The -s switch takes no arguments. The localhost needs to be running a Syslog server on port 514 UDP.
cel433:/usr/local/snort-2.6.1.4# bin/snort -c snort.conf.2.6.1.4 -r www.testmyids.com.lpc -l /tmp/so/fullsyslog/ -s Running in IDS mode ...edited... snort.conf.2.6.1.4(798) => No arguments to alert_syslog preprocessor! ...edited... Action Stats: ALERTS: 1 LOGGED: 1 PASSED: 0 ...edited... Snort exiting
As you can see, Snort reported an error and mentioned the alert_syslog preprocessor. I reported this to Marty Roesch, who called it a "buglet." It has no effect on the desired outcome. The error message may be removed from future versions of Snort.
In SYSLOG mode, Snort writes an alert in FAST syntax to the auth.log file.
cel433:/usr/local/snort-2.6.1.4# grep snort /var/log/auth.log
Apr 25 14:46:10 cel433 snort: [1:498:6] ATTACK-RESPONSES
id check returned root [Classification: Potentially Bad Traffic]
[Priority: 2]: {TCP} 82.165.50.118:80 -> 69.143.202.28:39929
Snort saves the offending packet in a snort.log.TIMESTAMP file, as is common with other modes. No alert file is created.
cel433:/usr/local/snort-2.6.1.4# ls /tmp/so/fullsyslog/ snort.log.1177526766 cel433:/usr/local/snort-2.6.1.4# tcpdump -n -r /tmp/so/fullsyslog/snort.log.1177526766 reading from file /tmp/so/fullsyslog/snort.log.1177526766, link-type EN10MB (Ethernet) 15:50:29.236253 IP 82.165.50.118.80 > 69.143.202.28.39929: P 3604239913:3604240199(286) ack 3547882099 win 6432
Snort also supports writing to a Unix socket via the -A unsock option. This option is used by programs like FLop and QuIDScor. I recommend reading the documentation for those programs if you want to use the Unix socket, since it's not a common output method.
This concludes the command line output modes. Now we turn to some of the output options called from the snort.conf file.
