Snort can be used to log network traffic without generating alerts. In fact, Snort started life as a hopped-up version of tcpdump, the ubiquitous packet capture program used by network geeks everywhere. The simplest way to generate logging (not alerting) is to call Snort from the command line and tell it to log packet data somewhere using the -lswitch which specifies a logging directory.
The -lswitch is available and useful from the command line only. If you are running Snort with the -Dswitch for daemon mode, and you’re specifying a snort.conf file with the -cswitch, you’re not going to get much use out of using the -lswitch for logging packet information.
Create a test logging directory, then tell snort to send its log data there. At a command prompt under Linux, do the following:
# mkdir /var/log/snort/test_logging
# /usr/local/bin/snort -l /var/log/snort/test_logging/
In Windows:
C:\snort\bin>mkdir c:\snort\logs C:\snort\bin>snort -l c:\snort\logs
Let this run for a minute or so, then kill it by hitting Ctrl+C. Now take a look at the /var/log/snort/test_loggingdirectory. You’ll see a set of subdirecto-ries, one for each IP address that’s been sending packets to and from your network. If you look at the files in these subdirectories, you’ll find a bunch of files, named for the protocol, source port, and destination port of each packet. Here’s someone poking at my Web server (the nerve!):
libpcap (or winpcap) captures raw data from network card
and sends it to Snort
Snort decodes packets based on protocol
Snort applies preprocessors to normalize traffic
If traffic matches a rule, generate an alert
The alert module calls the logging module to log packet details Normalized traffic is passed on
to main detection engine
Figure 6-1:
Snort’s packet processing and logging.
# cd /var/log/snort/test_logging/
# ls
192.168.1.68 10.100.11.17 ARP
# cd 192.168.1.68/
# ls
TCP:45955-80 TCP:45961-80 TCP:45967-80 TCP:45973-80 TCP:45979-80
# less TCP:45991-80
01/16-23:34:11.865655 192.168.1.68:45991 -> 172.16.34.18:80 TCP TTL:47 TOS:0x0 ID:44483 IpLen:20 DgmLen:60 DF
******S* Seq: 0x3ED87B82 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 323081793 0 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-23:34:11.865697 172.16.34.18:80 -> 192.168.1.68:45991 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x933AEFD2 Ack: 0x3ED87B83 Win: 0x16A0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 135821704 323081793 NOP TCP Options => WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-23:34:11.901372 192.168.1.68:45991 -> 172.16.34.18:80 TCP TTL:47 TOS:0x0 ID:44484 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x3ED87B83 Ack: 0x933AEFD3 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 323081797 135821704
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-23:34:11.903218 192.168.1.68:45991 -> 172.16.34.18:80 TCP TTL:47 TOS:0x0 ID:44485 IpLen:20 DgmLen:203 DF
***AP*** Seq: 0x3ED87B83 Ack: 0x933AEFD3 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 323081797 135821704
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-23:34:11.903262 172.16.34.18:80 -> 192.168.1.68:45991 TCP TTL:64 TOS:0x0 ID:38495 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x933AEFD3 Ack: 0x3ED87C1A Win: 0x16A0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 135821708 323081797
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Notice how any mention of a specific alert is conspicuously absent from these files.
If you’re like us, you want to see what’s happening as it happens,instead of seeing what happened after the fact. Ever bake a cake with the oven light on the whole time? It doesn’t make the cake cook any faster, but it’s kind of cool to watch it rise. For those of us who need this instant gratification, Snort has the -vswitch. When logging packet data, this will send the data straight to the console.
Since Snort is a descendant of tcpdump, it will take much of the same com-mand line syntax as tcpdump, including expressions dictating what kind of traffic to process, and what to ignore. If you’re going to try running Snort with the -vswitch to watch decoded packets and you’re accessing your Snort machine over an SSH connection, make sure to tell Snort to ignore your SSH traffic, otherwise your terminal will turn into an unreadable flood of data as Snort displays the headers for each SSH packet. Each packet sent back to your terminal will in turn have its headers displayed, causing an unending cycle of data streaming.
The -vswitch is great for debugging purposes, but it slows down Snort con-siderably, and causes Snort to drop packets. Don’t use the -vswitch while running Snort in IDS mode, or you might miss an attack.
If you want to log more detail about each packet, you can use the -dswitch to dump application layer data from each packet, and you can use the -e switch to dump the link layer data from each packet. Here, we tell Snort to ignore our own SSH packets (which operate over port 22), and print all other packets to the terminal showing the application layer as well as the link layer:
# snort -vde not port 22 Running in packet logging mode
Log directory = /var/log/snort/test_logging2/
Initializing Network Interface eth0 --== Initializing Snort ==--Initializing Output Plugins!
Decoding Ethernet on interface eth0 --== Initialization Complete ==---*> Snort!
<*-Version 2.1.0 (Build 9)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
01/16-01:22:23.654699 0:10:67:0:B2:50 -> 0:A0:CC:D2:10:31 type:0x800 len:0x6A 192.168.16.50 -> 172.16.34.18 ICMP TTL:104 TOS:0x0 ID:60592 IpLen:20 DgmLen:92 Type:8 Code:0 ID:56566 Seq:16552 ECHO
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ...
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ...
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ...
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/16-01:22:23.654842 0:A0:CC:D2:10:31 -> 0:10:67:0:B2:50 type:0x800 len:0x6A 172.16.34.18 -> 192.168.16.50 ICMP TTL:255 TOS:0x0 ID:35856 IpLen:20 DgmLen:92 Type:0 Code:0 ID:56566 Seq:16552 ECHO REPLY
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ...
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ...
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ...
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Yep, we’re getting pinged (the keywords ICMP, ECHO, and ECHO REPLY clue us into this). If you want to see more interesting traffic than this, run the same command on your own Snort box and see what you get. If the output is too much to deal with, try playing around with different expressions to ignore different kinds of traffic. For a list of useful command-line options that per-tain to Snort’s logging and alerting, see the sidebar titled, “Snort’s command-line switches for logging and alerting” in this chapter.