Generating Statistical Output from Snort Logs

Problem

You want to get statistical information from your Snort logs.

Solution

Use snort_stat to generate statistical data from the Snort logfile. Download the snort_stat.pl file and change its permissions to make it executable:

[root@localhost root]# chmod o+x ./snort_stat.pl

Next, run snort_stat with the following command:

[root@localhost root]# cat /var/log/snort/alert | ./snort_stat.pl

In the previous command, the snort_stat output is displayed on the screen. Use the following command to dump the output into a text file:

[root@localhost root]# cat /var/log/snort/alert | ./snort_stat.pl 

>stats.out

You can also use the -h command-line option to output the snort_stat data into HTML format (Figure 6-1):

[root@localhost root]# cat /var/log/snort/alert | ./snort_stat.pl -h 

>stats.html

Figure 6-1. Snort_stat HTML output

Snortsnarf and SnortALog are two other easy-to-use programs that produce statistical output.

Discussion

Snort_stat is an easy-to-use Perl script that generates statistical data from the Snort logfile. The following excerpt from the code shows the command-line that uses the cat command to pipe your log to the Perl script:


# USAGE: cat  | snort_stat.pl -r -f -h -t n

#

# or put it in the root's crontab file:

#59 10 * * * root cat /var/log/authlog |

 /etc/snort_stat.pl | sendmail root

Note that you can also create a cron job to run snort_stat on a regular basis and have it create a text file, send a mail message, or update a web page. The following command shows an example of the snort_stat text output:

[root@localhost root]# more stats.out

Subject: snort daily report

 

The log begins from: 07 04 14:40:31

The log ends at: 07 04 14:46:02

Total events: 8

Signatures recorded: 1

Source IP recorded: 1

Destination IP recorded: 2

 

The number of attacks from same host to same

destination using same method

= = = = = = = = = = = = = = = = = = = = = = = =

 # of

 attacks from to method

= = = = = = = = = = = = = = = = = = = = = = = =

 6 192.168.206.129 192.168.100.5 ICMP PING NMAP

 2 192.168.206.129 192.168.100.70 ICMP PING NMAP

 

 

Percentage and number of attacks from a host to a

destination

= = = = = = = = = = = = = = = = = = = = = = = =

 # of

 % attacks from to

= = = = = = = = = = = = = = = = = = = = = = = =

75.00 6 192.168.206.129 192.168.100.5

25.00 2 192.168.206.129 192.168.100.70

 

 

Percentage and number of attacks from one host to any

with same method

= = = = = = = = = = = = = = = = = = = = = = = =

 # of

 % attacks from method

= = = = = = = = = = = = = = = = = = = = = = = =

100.00 8 192.168.206.129 ICMP PING NMAP

 

 

Percentage and number of attacks to one certain host

= = = = = = = = = = = = = = = = = = = = = = = =

 # of

 % attacks to method

= = = = = = = = = = = = = = = = = = = = = = = =

75.00 6 192.168.100.5 ICMP PING NMAP

25.00 2 192.168.100.70 ICMP PING NMAP

 

 

The distribution of attack methods

= = = = = = = = = = = = = = = = = = = = = = = =

 # of

 % attacks method

= = = = = = = = = = = = = = = = = = = = = = = = 

100.00 8 ICMP PING NMAP

 6 192.168.206.129 -> 192.168.100.5

 2 192.168.206.129 -> 192.168.100.70

Notice that the output provides statistics on the percentages of attacks by source, destination, and attack method.

Two other great programs that produce statistical output are Snortsnarf and SnortALog.

Snortsnarf is a Perl script that takes one or more Snort log input sources and presents statistical information via web pages. You can use the Snort alert files or a MySQL Snort database as input sources. Snortsnarf will list alerts by priority and provide the signature, number of sources, and number of destinations for each signature. Another page ranks the top 20 source IP addresses, the number of total alerts it generated, the number of signatures triggered, and the target destination addresses. Snortsnarf also ranks the top 20 destination IP addresses.

SnortALog is a Perl script that summarizes logs and produces statistics and graphs in either ASCII, PDF, or HTML format. SnortALog can analyze Snort's logs in all formats (Syslog, Fast, and Full alerts). It can also summarize Check Point FW-1 (NG and 4.1), Netfilter, and IPFilter logs. You can use either the command-line interface or the GUI to produce the specific reports you need. SnortALog produces various statistics and graphs, including distribution of events by hour and day; distribution of events by destination port, protocol, and type of log; popularity of a single source or destination host; events to and from a single host with the same method; events grouped by attack; distribution of attack methods; and more. Learn more about SnortALog in Recipe 6.7 (6.7).

See Also

http://www.snort.org/dl/contrib/data_analysis/

Cron manpage

Recipe 5.4

Recipe 5.5

Recipe 6.7

Generating Statistical Output from Snort Databases

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net