{"id":382,"date":"2013-01-07T01:11:00","date_gmt":"2013-01-06T17:11:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=382"},"modified":"2025-07-27T18:26:42","modified_gmt":"2025-07-27T10:26:42","slug":"snort-output","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/382","title":{"rendered":"Snort output"},"content":{"rendered":"\n

snort\u7684output module<\/strong>
\u555f\u52d5snort\u6642,snort\u6703\u628a\u5831\u8b66\u8cc7\u8a0a\u4ee5module\u6307\u5b9a\u7684\u683c\u5f0f\u8f38\u51fa\u5230\u6307\u5b9a\u4f4d\u7f6e
\u7d44\u614b\u6a94\u7de8\u8f2f\u4f4d\u7f6e:$snort_home\/etc\/snort.conf\u5167\u7684output\u90e8\u4efd<\/p>\n\n\n\n

\u4f7f\u7528output module\u683c\u5f0f\u70ba
output : < name_of_plugin>: < configuration_options><\/strong>
name_of_plugin:\u5df2\u77e5\u7684\u6709\u4ee5\u4e0b<\/p>\n\n\n\n


alert_fast<\/strong>
\u7b49\u540c\u65bc\u8f38\u51fa\u6a21\u5f0f\u70bafast,ex:snort -A fast
\u8b66\u5831\u7684\u8a0a\u606f\u4e0d\u6703\u5305\u542b\u5b8c\u6574\u7684packet header
\u8b66\u5831\u53ea\u6703\u8f38\u5728\u4e00\u500b\u6a94\u6848
\u683c\u5f0f\u70ba output alert_full:[< filename> [packet] [ < limit>]]<\/strong>
\u3000filename:\u70ba\u6307\u5b9a\u7684log\u6a94
\u3000packet:\u8a18\u9304\u5b8c\u6574\u7684packet header<\/p>\n\n\n\n

alert_full<\/strong>
\u7b49\u540c\u65bc\u8f38\u51fa\u6a21\u5f0f\u70bafull,ex:snort -A full
\u8b66\u5831\u7684\u8a0a\u606f\u6703\u5305\u542b\u5b8c\u6574\u7684packet header
\u8b66\u5831\u9810\u8a2d\u8f38\u51fa\u5728\u76ee\u9304\/var\/log\/snort\u5167,\u6216\u662f\u7531command\u6307\u4ee4\u4e2d\u53e6\u5916\u6307\u5b9a\u4e00\u500b\u76ee\u9304
\u683c\u5f0f\u70ba\u00a0output alert_full:[< filename>[ < limit>]]<\/strong>
\u3000filename:\u70ba\u6307\u5b9a\u7684log\u6a94
\u8f38\u51fa\u683c\u5f0f\u5927\u81f4\u5982\u4e0b<\/p>\n\n\n\n

[**] [1:1019:20] signature name [**]\n[Classification: type ] [Priority: num]\ntime source ip:port -> dest ip:port\nproto TTL:num TOS:num ID:num IpLen:num DgmLen:num\noption\n[Xref => web1][Xref => web2]\nex:\n[**] [1:1019:20] WEB-IIS Malformed Hit-Highlighting Argument File Access Attempt [**]\n[Classification: Web Application Attack] [Priority: 1]\n11\/07-20:43:56.555022 10.10.2.154:6289 -> 10.10.1.180:80\nTCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:483\n***AP*** Seq: 0xA775A97C Ack: 0xA5AD9402 Win: 0xFE44 TcpLen: 20\n[Xref => http:\/\/www.securityfocus.com\/archive\/1\/43762][Xref => http:\/\/www.microsoft.com\/technet\/security\/bulletin\/ms00-006.mspx]<\/code><\/pre>\n\n\n\n
alert unixsock<\/strong>
\u7b49\u540c\u65bc\u8f38\u51fa\u6a21\u5f0f\u70baunsock,ex:snort -A unsockl
\u5c07\u8a0a\u606f\u50b3\u5230\u5176\u4ed6\u4e3b\u6a5f\u7684\u7a0b\u5f0f
\u683c\u5f0f\u70ba output alert_unixsock<\/p>\n\n\n\n
syslog<\/strong>
\u5c07event\u50b3\u9001\u5230\u672c\u5730syslog server
\u683c\u5f0f\u70ba output alert_syslog: < facility> < priority> [options]<\/strong>
\u3000facility:\u53ef\u9078\u7684\u503c\u6709log auth,log authpriv,log daemon,log local0,log local1,log local2,log local3,log local4,log local5,log local6,log local7,log user
\u3000priority;\u53ef\u9078\u7684\u503c\u6709log emerg,log alert,log crit,log err,log warning,log notice,log info,log debug
\u3000options:\u53ef\u9078\u7684\u503c\u6709log cons,log ndelay,log perror,log pid
ex:
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
\u8f38\u51fa\u683c\u5f0f\u5927\u81f4\u5982\u4e0b:
May 10 00:03:38 xxxxxx snort: INFO – ICQ Access [Classification:content:”MKD \/ ” Priority: 0]: 10.1.1.1:54352 -> 10.2.2.5:80<\/p>\n\n\n\n
csv<\/strong>
\u5c07\u8b66\u5831\u8cc7\u6599\u5beb\u6210\u6613\u65bc\u8f38\u5165\u8cc7\u6599\u5eab\u7684csv\u683c\u5f0f,\u683c\u5f0f\u5167\u7684\u6b04\u4f4d\u8207\u9806\u5e8f\u7686\u53ef\u81ea\u8a02
ps:\u6b64\u5957\u4ef6\u70baBrian Caswell\u958b\u767c
\u683c\u5f0f\u70ba output alert_csv:[< filename> [< format> [< limit>]]]<\/strong>
\u3000filename:\u6307\u5b9a\u7684log\u6a94,\u9810\u8a2d\u70baalert.csv
\u3000format:”default”|< field(,< field>)*> \u6307\u5b9a\u6b04\u4f4d\u683c\u5f0f,default\u662f\u8f38\u51fa\u6240\u6709\u6b04\u4f4d,\u9806\u5e8f\u70ba timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,ethsrc,ethdst,ethlen,tcpflags,tcpseq,tcpack,tcplen,tcpwindow,ttl,tos,id,dgmlen,iplen,icmptype,icmpcode,icmpid,icmpseq
\u3000limit:< number>[(‘G’|’M’|K’)]
ex:
output alert_csv:\/var\/log\/alert.csv default
output alert_csv:\/var\/log\/alert.csv timestamp,msg
ps:\u53ef\u7528\u8907\u5408CSV\u8f38\u51fa\uff0c\u5efa\u7acb\u591a\u500b\u8f38\u51fa\u6587\u4ef6\uff0c\u5728\u6bcf\u500b\u6587\u4ef6\u4e2d\u8a2d\u5b9a\u9700\u8981\u8a18\u9304\u6b04\u4f4d<\/p>\n\n\n\n
unified<\/strong>
\u4f7f\u7528unified\u7684\u683c\u5f0f\uff0c\u6b64\u683c\u5f0f\u53ef\u8b93snort\u8dd1\u5f97\u66f4\u5feb
\u8b80\u53d6\u6b64\u683c\u5f0f\u9700\u4f7f\u7528uni\ufb01ed log reader,ex:barnyard
\u683c\u5f0f\u70ba
output alert_unified:< base file name>[,< limit < filesize limit in MB>]
output log_unified:< base file name>[,< limit < filesize limit in MB>]<\/strong><\/p>\n\n\n\n
unified2<\/strong>
\u53ef\u4ee3\u66ffunified\u7684\u6a21\u7d44,\u67093\u7a2e\u6a21\u5f0f,\u5206\u8ff0\u5982\u4e0b
alert logging\u683c\u5f0f\u70ba
output alert_unified2:filename < basefilename>[,< limit< sizeinMB>][,nostamp] [,mpls_event_types]<\/strong>
packet logging\u683c\u5f0f\u70ba
output log_unified2:filename < basefilename>[,< limit< sizeinMB>][,nostamp]<\/strong>
true uni\ufb01ed logging\u683c\u5f0f\u70ba
output unified2:filename < basefilename>[,< limit< sizeinMB>][,nostamp] [,mpls_event_types]<\/strong><\/p>\n\n\n\n
alert_prelude<\/strong>
\u7522\u751fprelude ids database\u53ef\u652f\u63f4\u7684\u683c\u5f0f
\u683c\u5f0f\u70ba
output alert_prelude:profile=< name of prelude profile> [info] [low] [medium]<\/strong>
\u3000info: < priority number for info priority alerts>
\u3000low: < priority number for low priority alerts>
\u3000medium: < priority number for medium priority alerts><\/p>\n\n\n\n
tcpdump<\/strong>
\u4f7f\u7528tcpdump\u683c\u5f0f\u8a18\u9304
\u683c\u5f0f\u70ba output log_tcpdump:[< filename>[< limit>]]<\/strong>
\u3000filename \u6307\u5b9alog\u7684\u540d\u7a31,\u9810\u8a2d\u70balogdir\/snort.log
\u3000limit \u9810\u8a2d\u70ba128mb,\u81ea\u8a02limit\u7684\u683c\u5f0f\u70ba< number>[(‘G’|’M’|K’)]
ex:
output log_tcpdump: snort_dump.log<\/p>\n\n\n\n
database<\/strong>
\u5c07log\u50b3\u9001\u5230sql database
ps:\u9700\u5148\u5c07\u8cc7\u6599\u5eab\u53ca\u8cc7\u6599\u8868\u5efa\u7acb\u597d,\u4e26\u8a2d\u5b9a\u53ef\u5b58\u53d6\u8cc7\u6599\u7684\u5e33\u865f
ps:2000\u5e743\u6708Jed Pickel\u958b\u767c\u7684\u5957\u4ef6
\u683c\u5f0f\u70baoutput database:< log type>,< database type>,< parameter list><\/strong>
\u3000log type:\u53ef\u7528\u7684\u503c\u6709log,alert
\u3000\u3000\u4f7f\u7528log\u5247\u547c\u53eblog output chain
\u3000\u3000\u4f7f\u7528alert\u5247\u547c\u53ebalert output chain
\u3000database type:\u53ef\u7528\u7684\u503c\u6709mssql,mysql,postgresql,oracle,odbc
\u3000parameter list:\u53ef\u7528\u7684parameter\u6709\u4ee5\u4e0b
\u3000\u3000host \u8cc7\u6599\u5eab\u4e3b\u6a5f\u4f4d\u7f6e\u3000
\u3000\u3000port \u8cc7\u6599\u5eab\u4e3b\u6a5f\u4f7f\u7528\u7684port\u3000
\u3000\u3000dbname \u8cc7\u6599\u5eab\u540d\u7a31
\u3000\u3000user \u53ef\u5b58\u53d6dbname\u7684\u4f7f\u7528\u8005
\u3000\u3000password\u3000\u4f7f\u7528\u8005\u7684\u5bc6\u78bc
\u3000\u3000sensor name \u6307\u5b9asnort sensor\u7684\u540d\u7a31,\u9810\u8a2d\u70baautomatically
\u3000\u3000encoding < hex|base64|ascii> \u7de8\u78bcpacket payload\u548coption data\u7684\u65b9\u5f0f,\u9810\u8a2d\u70bahex
\u3000\u3000detail < full|fast> \u6307\u5b9a\u8a18\u9304\u7684\u8a73\u7d30\u7a0b\u5ea6,\u9810\u8a2d\u70bafull
\u3000\u3000\u3000fast\u8a18\u9304\u6b04\u4f4d\u70batimestamp, signature, source ip, destination ip, source port, destination port, tcp flags,protocol
\u3000\u3000\u3000full\u8a18\u9304\u6b04\u4f4d\u9664\u4e86\u6709fast\u7684\u5916\u9084\u6703\u5305\u542bip\/tcp option\u548cpayload
ex:
output database: log, mysql, dbname=snort user=snort host=localhost password=xyz
output database: log, mysql, user=snortuser password=snortpass dbname=snortdb host=localhost<\/p>\n\n\n\n

XML<\/strong>
\u8a72module\u53ef\u628alog\u6216alert\u4ee5XML\u683c\u5f0f\uff0c\u5b58\u653e\u5728\u672c\u5730\u6587\u4ef6\u3001\u8f38\u51fa\u5230\u4e00\u500bdatabase\u3001\u6216\u8005\u9001\u5230CERT\u9032\u884c\u8655\u7406\u3002
\u8cc7\u6599\u6703\u7528SNML(Simple Network Markup Language,\u7c21\u55ae\u7db2\u8def\u6a19\u8a18\u8a9e\u8a00\/SNort Markup Language,snort\u6a19\u8a18\u8a9e\u8a00)\u683c\u5f0f
\u652f\u63f4\u5354\u5b9a\u5305\u62ecHTTP\u3001HTTPS\u3001IAP(Intrusion Alert Protocol,\u5165\u4fb5\u5831\u8b66\u5354\u5b9a)
\u8cc7\u6599\u53ef\u7528HEX\u3001BASE64\u3001ASCII
ps:
snort\u7684XML output module\u70baAIRCERT(Automated Incident-Reporting)\u5de5\u7a0b\u7684\u4e00\u90e8\u4efd
\u4f5c\u8005\u70baJed Pickel\u548cRoman Danyliw
\u53c3\u8003\u8cc7\u6599:http:\/\/www.cert.org\/kb\/snortxml<\/p>\n\n\n\n
\u683c\u5f0f\u5982\u4e0b
output xml: log, file=\/var\/log\/snort\/snortxml-MMDD@HHMM
#\u628alog\u8f38\u51fa\u5230\/var\/log\/snort\/snortxml-MMDD@HHMM\uff0c\u5176\u4e2dMMDD@HHMM\u5206\u5225\u662f\u6708\u65e5\u6642\u5206
output xml: alert,protocol=https host=your.server.org file=yourfile cert=mycert.crt key=mykey.pem ca=ca.crt server=srv_list.lst
#\u4f7f\u7528HTTPS\u8f38\u51fa\u9001\u5230\u9060\u7aef\u4f3a\u670d\u5668your.server.org\u7684\u6587\u4ef6yourfile\u3000 
#cert\u3001key\u3001ca\u8207SSL\u6709\u95dc
#server\u53c3\u6578\u53ef\u4ee5\u8a2d\u5b9a\u9023\u63a5\u7684\u4f3a\u670d\u5668\u5217\u8868\u3000<\/p>\n\n\n\n
…………………………………………………………………………………………………..<\/p>\n\n\n\n
threshold.conf<\/strong>
\u53ef\u6d88\u9664\u8aa4\u5831\u6216\u7121\u7528\u7684\u5927\u91cf\u8b66\u544a\u8a0a\u606f
\u9700\u5728snort.conf\u4e2d\u5c07include threshold.conf\u8a3b\u89e3\u53d6\u6d88\u624d\u6703\u8b80\u53d6\u9032\u4f86<\/p>\n\n\n\n

event filter<\/strong>
\u53ef\u6e1b\u5c11noise alert\u53cafalse alarm
\u683c\u5f0f\u70ba<\/strong>event_filter gen_id < id>, sig_id < id> , type < event filter type> , track < by_src|by_dst> , count < value> , seconds < value><\/strong>
ps:
gen_id\u76f8\u95dc\u8a18\u9304\u53ef\u53c3\u8003\u6a94\u6848$snort_home\/etc\/generators
sig_id\u76f8\u95dc\u8a18\u9304\u53ef\u53c3\u8003\u5404rule\u6a94,preprocessor\u7684sid\u53ef\u53c3\u8003$snort_home\/etc\/gen-msg.map<\/p>\n\n\n\n
event filter type<\/strong>
limit \u5728\u6307\u5b9a\u7684time interval\u4e2d\u53ea\u8a18\u9304\u524dn\u7b46event
threshold \u5728\u6307\u5b9a\u7684time interval\u4e2d,\u8a18\u9304\u6bcf\u6b21n\u7b46event 
both \u5728\u6307\u5b9a\u7684time interval\u4e2d,\u53ea\u8a18\u9304\u7b2cn\u7b46event\u5f8c\u7684\u7b2c\u4e00\u7b46event
ps:
\u82e5gen_id=0,sig_id=0 \u8868\u793a\u5168\u90e8\u4e8b\u4ef6
\u82e5\u50c5sig_id=0 \u8868\u793agen_id\u4e0b\u7684\u5168\u90e8\u4e8b\u4ef6
ps:gen_id\u53ef\u4ee5\u53c3\u8003gen-msg.map
ex:
\u5728\u6bcf\u500b60\u79d2\u5167\u50c5\u8a18\u93041\u7b46\u4e8b\u4ef6
event_filter gen_id 1 , sig_id 1853,type limit,track by_src,count 1,seconds 60
\u5728\u6bcf\u500b60\u79d2\u5167\u50c5\u8a18\u9304\u7b2c3\u7b46\u4e8b\u4ef6 \/ \u5728\u6bcf\u500b60\u79d2\u5167\u50c5\u5728\u7b2c3\u7b46\u4e8b\u4ef6\u5f8c\u624d\u958b\u59cb\u8a18\u9304
event_filter gen_id 1 , sig_id 1853,type threshold,track by_src,count 3,seconds 60
\u572860\u79d2\u5167\u8d85\u904e30\u7b46\u4e8b\u4ef6\u6642,\u5c07\u8a18\u9304\u7b2c31\u7b46\u4e8b\u4ef6
event_filter gen_id 1 , sig_id 1853,type both,track by_src,count 30,seconds 60<\/p>\n\n\n\n

event suppress<\/strong>
\u4f9d\u7167ip\u53ca\u4f86\u6e90\u505c\u6b62\u8a18\u9304\u6307\u5b9a\u7684event
\u683c\u5f0f\u70ba
suppress gen_id < id >, sid_id < id > [, track < by_src|by_dst >, ip < IP\/MASK-BITS > ]
ex:
\u7565\u904ehttp_inspect: BARE BYTE UNICODE ENCODING\u8a0a\u606f
suppress gen_id 119, sig_id 4 # http_inspect: BARE BYTE UNICODE ENCODING
\u7565\u904esnort_decoder: Tcp Options found with bad lengths
suppress gen_id 116 , sig_id 54
\u7565\u904eWEB-ATTACKS rm command attempt\u4e2d\u76ee\u7684ip\u5730\u5740\u662f222.222.111.111\u7684alert
suppress gen_id 1, sig_id 1365, track by_dst,ip 222.222.111.111<\/p>\n\n\n\n
ps:
\u95dc\u9589\u4ee5\u4e0b\u8a0a\u606f
(http_inspect) BARE BYTE UNICODE ENCODING
That’s not triggered by a rule – it’s from the Snort http_inspect preprocessor. The message means that a web client uses a non-standard encoding for UTF-8 values
\u5728snort.conf\u4e2d\u8a3b\u89e3\u6389
preprocessor http_inspect::global
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default
profile apache ports {80} oversize_dir_length 500<\/p>\n","protected":false},"excerpt":{"rendered":"
snort\u7684output module\u555f\u52d5snort\u6642,sn …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[370],"tags":[],"class_list":["post-382","post","type-post","status-publish","format-standard","hentry","category-blue-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=382"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/382\/revisions"}],"predecessor-version":[{"id":2424,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/382\/revisions\/2424"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}