README
------
Snort/libpcap interval output patch
Version 0.9
Jan. 2, 2005
zalty@users.sourceforge.net
Project Summary and Downloads: http://sourceforge.net/projects/alert-interval/
This experimental snort/libpcap patch introduces a new output plugin
'alert_interval' that automatically opens a new logfile on a specified
interval. This is accomplished using SIGALRM to briefly interrupt the
packet capture loop and open a new timestamped logfile.
The output interval automatically synchronizes with the system clock. For
example, given a 600 second logging interval, the logfiles will be reopened
at 12:00, 12:10, 12:20, etc. This is of course subject to lag on the alarm
signal itself.
This output plugin also introduces a couple additional logging features,
including the ability to log tcpdump-style binary packet trace intervals,
and the ability to automatically zlib compress the log files. The format of
the alert file is a simple text markup format which can be parsed by expat
or the like. This patch also modifies the output of the (old) port scan
detector somewhat to better suit interval logging.
Understand that all these modifications introduce additional overhead in
the snort process, which is generally considered a bad thing. The reasoning
behind this is that it is better to perform these functions in the snort
process than to rely on external processes (like perl scripts) to parse
and/or compress event data from a standard snort logfile, since those
external processes will compete with snort for system resources anyway,
especially on an inexpensive, single-processor sensor.
Note that these modifications may not be compatible with other snort
features or output plugins. Use at your own risk.
BUILDING
--------
This patch has been tested on Linux only (RedHat and Fedora Core, should
work on others though). You will need zlib installed on the system to
compile with these modifications.
Place libpcap-0.8.3.tar.gz and snort-2.3.0RC2.tar.gz in a directory
(/tmp/src in this example) and place the two patch files into that
directory as well. You can get snort source from http://www.snort.org and
libpcap from http://www.tcpdump.org. Then execute the following:
cd /tmp/src
tar -zxvf libpcap-0.8.3.tar.gz
tar -zxvf snort-2.3.0RC2.tar.gz
patch -p0 < libpcap-0.8.3.int.patch
patch -p0 < snort-2.3.0RC2.int.patch
cd libpcap-0.8.3
./configure
make
cd ../snort-2.3.0RC2
./configure --with-libpcap-libraries=/tmp/src/libpcap-0.8.3
--with-libpcap-includes=/tmp/src/libpcap-0.8.3
make
USING
-----
To use the interval output plugin place the following in your snort.conf
file (sans line breaks):
output alert_interval: 600 1 1 /tmp/tmpalert- /tmp/tmplog-
/var/spool/snortlogs/alerts- /var/spool/snortlogs/tcpdump- 68
Parameters:
- Interval (in seconds). Valid values are 1 to the maximum allowed by
SIGALRM.
- Enable tcpdump logging. Valid values are 0 (disabled) or 1 (enabled).
Note that ALL packets are logged, not just trigger packets.
- Use zlib compression. Valid values are 0 (disabled) or 1 (enabled).
- Temp file prefix for alert files. A timestamp will be appended to this.
- Temp file prefix for tcpdump logfiles. A timestamp will be appended to
this.
- Prefix for (closed, completed) alert files. A timestamp will be
appended to this. Must be on the same filesystem as the temp file.
- Prefix for (closed, completed) tcpdump files. A timestamp will be
appended to this. Must be on the same filesystem as the temp file.
- tcpdump "snaplen" (in bytes) for saved logfile. See tcpdump
documentation.
You should specify valid file prefixes for the tcpdump files even if you
have disabled that feature.
DISCLAIMER
----------
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
See the LICENSE file(s).
Snort - http://www.snort.org
libpcap - http://www.tcpdump.org