Snort 2.1 Intrusion Detection, Second Edition
This brand-new edition of the best-selling Snort book covers all the latest features of the version 2.1 upgrade to the Snort product.
TABLE OF CONTENTS Snort 2.1 Intrusion Detection, Second Edition
Understanding the Output Plug-Ins
Like Snort, Barnyard includes several plug-ins that allow the user to configure events to be output in a variety of ways. Barnyard 0.2 includes nine different output plug-ins: five for processing unified alert events, and four for processing unified log events (and, as mentioned previously, none for processing unified stream-stat events). Each of these output plug-ins processes the unified events in a different way. The alert output plug-ins include alert_fast, alert_csv, alert_syslog, alert_syslog2, and alert_acid_db. The log output plug-ins include log_dump, log_pcap, log_acid_db, and sguil. In the following sections, we ll see what each output plug-in does, how to configure it, and when we may want to use it.
| Oink! | The attentive reader may have looked at the Barnyard 0.2 distribution and counted 10 output plug-ins. Be assured that we can actually count and are fully aware of the extra output plug-in. The additional output plug-in, alert_console, was actually developed for this chapter, and you ll learn all about it in the section Writing a New Output Plug-In. |
alert_fast
Barnyard s alert_fast output plug-in renders unified alert records in a human-readable format to an output file. If no configuration options are provided, the output will be written to the file fast.alert in the logging directory. If the file already exists, any new events will be appended to it. The configuration lines for the alert_fast output plug-in are:
output alert_fastoutput alert_fast:
If using the second syntax, replace < filename> with the name of the output file you want...
Copyright Syngress Publishing, Inc. 2004 under license agreement with Books24x7
