FLoP - 1.6.0: Fast Logging Project for Snort
PrevNext

Chapter 3. The snort patch

This patch is needed to activate an output plugin which enables snort to write all alert information and the suspicious network packet to an unix datagram socket. To apply the patch you need only to change to the snort source directory and use the command:

snort-2.x.x$ patch -p1 < /path/to/FLoP-1.6.0/patches/snort-2.x.x_patch

After configure and make the snort program understands a new option in the snort.conf file:

output alert_unixsock_db: /tmp/snort[, all|log|alert]

The parameter of this output plugin describes where the unix domain socket should be found. Since we use unix domain sockets of type datagram it is not required that this socket exists. If there is no such socket, snort will simply write a warning message and continue to work. If the socket gets created in between, snort will use it. So snort is never blocked by this output plugin (except the reading process is explicit blocking).

Since snort-2.1.3 there exists also the possibility to write alternatively the log packets to the socket or both. If all is mentioned then only one packet is written to the socket if they are in both output chains.

Note: FLoP does not distinguish between log and alert. Therefore both kinds are ment if an alert is mentioned in this document!

Further there is the option -Y added to snort to avoid writing any alerts to the file system. (Before snort-2.3 this option was -Q but now -Q is used for the snort-inline part.)

Note: If you use the option all this is not necessary. If an output plugin is activated the normal ouput plugin is disabled. So if all is used then no alert or log data are written to the file system.

If you use alert then you can disable writing of log informations with the snort option -N or the equivalent -K none. If you only use the log then you can disable the alerts with the snort option -A none.

So this additional option -Y is no longer necessary but is still part of the snort patch.

The log facility is necessary if you want to store tagged packets or packets of a dynaimc rule in the database. Take also a look at the program getpacket.

3.1. Statistics with snort

The patch additionally extends snort by a -x option (before snort-2.4 this option is -Z). This enables snort to write statistical inforamtion about the actual status to the unix domain socket /tmp/stats. These informations include the number of received and dropped packets, how many alerts where generated and which protocols where involved since the last time. The time intervall is the parameter after this option.

With the command

snort -x 30

the statistics are written every 30 seconds to the special unix datagram socket. Again, if this socket is not available, nothing will be written but snort will still work.

This information can be used in conjunction with the RRDTool to create some nice pictures like:

Statistics picture from snort generated with RRDTool

Example 3-1. A simple perl script to feed an RRDtool database with a time step of 30 seconds. Here we only account for the rate of received packets but it is easily extended to use the other data.

#!/usr/bin/perl
use IO::Socket;
use IO::Handle;
use Socket;
use RRDs;

$UXSOCKADDR="/tmp/stats";

unlink($UXSOCKADDR);
$sock = IO::Socket::UNIX->new( Local => $UXSOCKADDR, Type => SOCK_DGRAM) (1)
  or die "Can't bind to Unix Socket: $!\n";
  $sock->setsockopt(SOL_SOCKET, SO_RCVBUF, 65440);         (2)
print "Ready to accept conntections!\n";

$RRDrecv="recv.RRD"; 

if (! -e $RRDrecv)                                         (3)
  {
     $CreateRRD=true;
  }
while (1) {
  $len=44;
  $sock->recv($input,$len);
  $TotalEvents++;
  
  @fields=unpack(" L L L L L L L L L L L",$input);
  print "\n";

  if ($CreateRRD eq true) 
    {
      RRDs::create ("$RRDrecv", "--start", "$fields[0]", "--step", "30",(4)
                    "DS:Statistics:GAUGE:61:0:U", "RRA:AVERAGE:0.5:1:100",
                    "RRA:AVERAGE:0.5:10:24", "RRA:AVERAGE:0.5:20:144");
       $CreateRRD=false;
     }

    RRDs::update ($RRDrecv, "$fields[0]:$fields[1]");      (5)
}
(1)
Open an unix domain socket of type datagram to be able to receive data from snort.
(2)
Increase the receive buffer of the socket.
(3)
Test if a RRD database exist, if not we have to create one.
(4)
There is no RRD database, so we create one here.
(5)
Update the RRD database.

Note: These and maybe more informations could be received via the snort preprocessor perfmonitor. But this option is older than the preprocessor and therefore it is still part of the snort patch. Maybe this option should be removed in favour of perfmonitor.

PrevHomeNext
Programs of the project Configuration of FLoP