Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Understanding Standard Alert Output Up: Network Intrusion Detection System Previous: Network Intrusion Detection System   Contents

NIDS Mode Output Options

There are a number of ways to configure the output of Snort in NIDS mode. The default logging and alerting mechanisms are to log in decoded ASCII format and use full alerts. The full alert mechanism prints out the alert message in addition to the full packet headers. There are several other alert output modes available at the command line, as well as two logging facilities.

Alert modes are somewhat more complex. There are seven alert modes available at the command line: full, fast, socket, syslog, console, cmg, and none. Six of these modes are accessed with the -A command line switch. These options are:

Option Description
-A fast Fast alert mode. Writes the alert in a simple format with a timestamp, alert message, source and destination IPs/ports.
-A full Full alert mode. This is the default alert mode and will be used automatically if you do not specify a mode.
-A unsock Sends alerts to a UNIX socket that another program can listen on.
-A none Turns off alerting.
-A console Sends ``fast-style'' alerts to the console (screen).
-A cmg Generates ``cmg style'' alerts.

Packets can be logged to their default decoded ASCII format or to a binary log file via the -b command line switch. To disable packet logging altogether, use the -N command line switch.

For output modes available through the configuration file, see Section 2.4.

Note:   Command line logging options override any output options specified in the configuration file. This allows debugging of configuration issues quickly via the command line.

To send alerts to syslog, use the -s switch. The default facilities for the syslog alerting mechanism are LOG_AUTHPRIV and LOG_ALERT. If you want to configure other facilities for syslog output, use the output plugin directives in the rules files. See Section 2.4.1 for more details on configuring syslog output.

For example, use the following command line to log to default (decoded ASCII) facility and send alerts to syslog: 

./snort -c snort.conf -l ./log -h 192.168.1.0/24 -s

As another example, use the following command line to log to the default facility in /var/log/snort and send alerts to a fast alert file: 

./snort -c snort.conf -A fast -h 192.168.1.0/24

next up previous contents
Next: Understanding Standard Alert Output Up: Network Intrusion Detection System Previous: Network Intrusion Detection System   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.