Problem
You want to get Snort output stats via a web page.
Solution
Four great programs that produce statistical output in HTML format are Snortsnarf, ACID, SnortALog, and snort_stat. You can use one or all of them to produce alert, log, statistics, and graphing data automatically via a web page.
Discussion
Snortsnarf is a Perl script that takes one or more Snort input sources and converts the information into web pages. You can use the Snort alert files or a MySQL Snort database as input sources. Snortsnarf will list alerts by priority and provide the signature, number of sources, and number of destinations for each signature. Another page ranks the top 20 source IP addresses, the number of total alerts it generated, the number of signatures triggered, and the target destination addresses. So, for example, you may see that a certain IP address generated 100 alerts, triggered 2 signatures, and targeted 50 destination IP addresses. This may indicate some sort of scan attempt. Snortsnarf also ranks the top 20 destination IP addresses. This page contains the same type of information, such as total number of alerts and the number of signatures triggered. This page can give you valuable information to aid in identifying your top target systems. Creating a Snortsnarf cron job entry is an easy way to have Snortsnarf execute on a regular basis and have the browser refresh automatically. This way, you could have the browser open in your network operations center and be quickly alerted to new events.
ACID is a great tool to use for viewing, analyzing, and graphing your Snort logs via a web page. It is a PHP-based analysis engine that searches and processes your IDS database logs. Some of its features include a search engine, packet viewer, alert management, and graphing and statistics generation. ACID provides a lot of different analysis and statistics information. The main page lists traffic by protocol with percentages for each. It also lists the percentage of traffic composed of port scans. The main page also lists the total number of alerts, total number of unique alerts, number of source IP addresses, number of destination IP addresses, number of source ports, and number of destination ports. From the main page, you can choose from a variety of snapshot details to look at, such as most recent alerts by protocol, today's alerts, alerts in the past 24 or 72 hours, latest source and destination ports, most frequent source and destination ports, most frequent alerts, and most frequent addresses. Each snapshot can be filtered by various parameters, including protocol, IP address, and port. You can also produce graphs (bar, line, and pie) for various parameters and time periods.
SnortALog is a Perl script that summarizes logs and produces statistics and graphs in either ASCII, PDF, or HTML format. SnortALog can analyze Snort's logs in all formats (Syslog, Fast, and Full alerts). It can also summarize Check Point FW-1 (NG and 4.1), Netfilter, and IPFilter logs. You can use either the command-line interface or the GUI to produce the specific reports you need. SnortALog produces various statistics and graphs, including distribution of events by hour and day; distribution of events by destination port, protocols, and type of log; popularity of a single source or destination host; events to and from a single host with the same method; events grouped by attack; and distribution of attack methods. Learn more about SnortALog in Analyzing and Graphing Logs.
Snort_stat is an easy-to-use Perl script that generates statistical data from the Snort logfile. Snort_stat can display output to the screen, create an ASCII text file, or output the data in HTML format. It includes general totals and statistics, such as number of attacks from the same host to the same destination using the same method, percentage and number of attacks from a host to a destination, percentage and number of attacks from one host to any with the same method, percentage and number of attacks to one certain host, and distribution of attack methods.
See Also
Recipe 5.4
Recipe 5.6
Recipe 5.5
Recipe 6.7
Recipe 6.1
Recipe 6.2
Tools for Testing Signatures |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index