144

Chapter 4     Plugins, Preprocessors and Output Modules

Figure 4 2 SMB alert display window.

Each workstation name should be listed in  workstation.list file on a sepa 

rate line. Note that these are the SMB names, not IP addresses or DNS hostnames. The

SMB names of workstations are configured in Control Panel on Windows machines.

The smbclient program resolves these SMB names by itself.

You have to compile the SMB alert support when building Snort using the config 

ure script. A typical line to build this support is: 

./configure   prefix=/opt/snort   enable smbalerts 

Refer to Chapter 2 for more information about how to compile Snort. The messen 

ger service must be enabled on the Windows system for pop up windows to be dis 

played.

4.2.5

The log_tcpdump Output Module

This module is used to store alert data in a tcpdump format file that can be viewed

later on using tcpdump or some other tool. This method is quick for heavily loaded

networks where you want to offload processing from the Snort system and analyze data

using some other mechanism. Following is the general format for using this module in

snort.conf file.

output log_tcpdump: 

Typical entries in the snort.conf file may look like the following:

output log_tcpdump: /var/log/snort/snort_tcpdump.log

In Snort 1.8 and older, Month, Data and Time are pre pended to the file name so

that you can have multiple files every time you restart Snort. In Snort 1.9, the seconds

counter

1

 is appended to the file name. Each time you start Snort, a new file is created.

1.

In fact, the time() function is used in Snort 1.9.0 to determine this number. For more information, 

use the  man 2 time  command in Linux.