Output Modules
143
4.2.2
The alert_full Output Module
The  alert_full module logs full alert messages in a file. The following line
will log all alert messages to alert_detailed file under the Snort logging directory.
output alert_full: alert_detailed
However keep in mind that full logging has its own disadvantages as well. Espe 
cially in high speed networks, enabling full alerts consumes a significant amount of
time to log data into a file, causing some packets to be ignored by the detection engine.
Note that as mentioned earlier, you can log messages to multiple destinations
using a new action type. The following lines in snort.conf file define an action type
 multi . When this action type is used in any rule, the message will be sent as SMB
pop up window on hosts listed in workstation.list file as well as to a file
alert_detailed.
ruletype multi
{
   type alert
   output alert_smb: workstation.list
   output alert_full: alert_detailed
}
4.2.3
The alert_fast Output Module
Like alert_full, alert_fast also takes as an argument a file name for storing data. It
is fast compared to full alerting. Packet headers are not saved in the alert file. The fol 
lowing line in the snort.conf file enables one line alert messages to be stored in
alert_quick file.
output alert_fast: alert_quick
This mode is useful for high speed intrusion detection applications of Snort.
4.2.4
The alert_smb Module
SMB alerts are sent to Microsoft Windows based workstations using the smb 
client program which is part of the SAMBA client package on Linux machines. To
send these alerts, the smbclient must be present in the PATH variable.
SMB alerts are displayed on Windows machines as pop up windows as shown in
Figure 4 2. A list of workstations should be present in a file that is provided as an argu 
ment to the output module. The following line in snort.conf file will cause alert
messages to be sent to workstations listed in file workstation.list. 
output alert_smb: workstation.list






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved