68

Chapter 2     Installing Snort and Getting Started

  Destination address which is 192.168.1.3.

  Type of packet; in the above example, type of packet is ICMP.

Note that the actual packet is not logged in this file when using this alert mode.

2.8.2

Full Mode

This is the default alert mode. It prints the alert message in addition to the packet

header. Let us start Snort with full alerting enabled with the following command:

/opt/snort/bin/snort  c /opt/snort/etc/snort.conf  q  A full

When Snort generates an alert in this mode, the message logged in /var/log/

snort/alert file is similar to the following:

[**] [1:0:0] Ping with TTL=100 [**]

05/28 22:14:37.766150 192.168.1.100  > 192.168.1.3

ICMP TTL:100 TOS:0x0 ID:40172 IpLen:20 DgmLen:60

Type:8  Code:0  ID:768   Seq:20224  ECHO

As you can see, additional information is logged with the alert message. This

additional information shows different values in the packet header, including:

  Time to Live (TTL) value in the IP packet header. For details on TTL value,

refer to RFC 791 at ftp://ftp.isi.edu/in notes/rfc791.txt

  The Type Of Service (TOS) value in the IP packet header. For details on TOS

value, refer to RFC 791 at at ftp://ftp.isi.edu/in notes/rfc791.txt and Appendix C.

  Length of IP packet header shown as IpLen:20.

  Total length of IP packet shown as DgmLen:60.

  ICMP Type field. For details on ICMP type field refer to RFC 792.

  ICMP code value. For details on ICMP type field refer to RFC 792.

  IP packet ID.

  Sequence number.

  ICMP packet type which is ECHO.

2.8.3

UNIX Socket Mode

If you use   a unsock  command line option with Snort, you can send alerts to

another program through UNIX sockets. This is useful when you want to process alerts

using a custom application with Snort. For more information on socket, use the  man

socket  command.