One of Snort's real
strengths are the options available for output of alerts and other
detection information. While running
-f on the alert file in
/var/log/snort certainly lets you see that
alerts that Snort generates, using that information effectively
requires more horsepower. Many Snort administrators use third-party
applications to monitor and investigate the information generated by
Snort. To do this, Snort must output the data a particular format.
The output plug-ins perform this task. Note that using some of these
plug-ins require the administrator to take some steps at the time
that Snort is compiled. For example, to allow Snort to output to a
MySQL database, a MySQL client needs to be installed on the Snort
system and the
--with-mysql option must be
specified with the
../configure command. Some of
these options are only available on a particular platform. For
instance, only a Windows system can log directly to Microsoft SQL
Server with the mssql plug-in (Unix-based
systems must use ODBC with the odbc plug-in).
Multiple output plug-ins can be enabled, allowing a variety of tools to be employed by Snort administrators.
Unix-based systems use the syslog facility to aggregate messages generated by one or more systems into a single place. There are a number of different ways that the Snort-generated information can be presented to the syslog. You can specify the facility used by Snort and also the priority assigned to entries generated by ...