Output Modules

Output modules are new as of version 1.6. They allow Snort to be much more flexible in the formatting and presentation of output to its users. The output modules are run when the alert or logging subsystems of Snort are called, after the preprocessors and detection engine. The format of the directives in the rules file is very similar to that of the preprocessors.

Multiple output plugins may be specified in the Snort configuration file. When multiple plugins of the same type (log, alert) are specified, they are stacked and called in sequence when an event occurs. As with the standard logging and alerting systems, output plugins send their data to /var/log/snort by default or to a user directed directory (using the -l command line switch).

Output modules are loaded at runtime by specifying the output keyword in the rules file:

output <name>: <options>

**Figure:** Output Module Configuration Example
$\begin{figure}\begin{verbatim}output alert_syslog: log_auth log_alert\end{verbatim} \par\end{figure}$

Subsections

alert_syslog
- Available Keywords
- Format
alert_fast
- Format
alert_full
- Format
alert_unixsock
- Format
log_tcpdump
- Format
database
- Format
csv
- Format
unified
- Format
unified 2
- Format
alert_prelude
- Format
log null
- Format
alert_aruba_action
- Format

Steven Sturges 2007-10-04