Problem
You want to get statistical information from your Snort logs.
Solution
Use snort_stat to generate statistical data from the Snort logfile. Download the snort_stat.pl file and change its permissions to make it executable:
[root@localhost root]# chmod o+x ./snort_stat.pl
Next, run snort_stat with the following command:
[root@localhost root]# cat /var/log/snort/alert | ./snort_stat.pl
In the previous command, the snort_stat output is displayed on the screen. Use the following command to dump the output into a text file:
[root@localhost root]# cat /var/log/snort/alert | ./snort_stat.pl >stats.out
You can also use the -h command-line option to output the snort_stat data into HTML format (Figure 6-1):
[root@localhost root]# cat /var/log/snort/alert | ./snort_stat.pl -h >stats.html
Figure 6-1. Snort_stat HTML output
Snortsnarf and SnortALog are two other easy-to-use programs that produce statistical output.
Discussion
Snort_stat is an easy-to-use Perl script that generates statistical data from the Snort logfile. The following excerpt from the code shows the command-line that uses the cat command to pipe your log to the Perl script:
# USAGE: cat | snort_stat.pl -r -f -h -t n # # or put it in the root's crontab file: #59 10 * * * root cat /var/log/authlog | /etc/snort_stat.pl | sendmail root
Note that you can also create a cron job to run snort_stat on a regular basis and have it create a text file, send a mail message, or update a web page. The following command shows an example of the snort_stat text output:
[root@localhost root]# more stats.out Subject: snort daily report The log begins from: 07 04 14:40:31 The log ends at: 07 04 14:46:02 Total events: 8 Signatures recorded: 1 Source IP recorded: 1 Destination IP recorded: 2 The number of attacks from same host to same destination using same method = = = = = = = = = = = = = = = = = = = = = = = = # of attacks from to method = = = = = = = = = = = = = = = = = = = = = = = = 6 192.168.206.129 192.168.100.5 ICMP PING NMAP 2 192.168.206.129 192.168.100.70 ICMP PING NMAP Percentage and number of attacks from a host to a destination = = = = = = = = = = = = = = = = = = = = = = = = # of % attacks from to = = = = = = = = = = = = = = = = = = = = = = = = 75.00 6 192.168.206.129 192.168.100.5 25.00 2 192.168.206.129 192.168.100.70 Percentage and number of attacks from one host to any with same method = = = = = = = = = = = = = = = = = = = = = = = = # of % attacks from method = = = = = = = = = = = = = = = = = = = = = = = = 100.00 8 192.168.206.129 ICMP PING NMAP Percentage and number of attacks to one certain host = = = = = = = = = = = = = = = = = = = = = = = = # of % attacks to method = = = = = = = = = = = = = = = = = = = = = = = = 75.00 6 192.168.100.5 ICMP PING NMAP 25.00 2 192.168.100.70 ICMP PING NMAP The distribution of attack methods = = = = = = = = = = = = = = = = = = = = = = = = # of % attacks method = = = = = = = = = = = = = = = = = = = = = = = = 100.00 8 ICMP PING NMAP 6 192.168.206.129 -> 192.168.100.5 2 192.168.206.129 -> 192.168.100.70
Notice that the output provides statistics on the percentages of attacks by source, destination, and attack method.
Two other great programs that produce statistical output are Snortsnarf and SnortALog.
Snortsnarf is a Perl script that takes one or more Snort log input sources and presents statistical information via web pages. You can use the Snort alert files or a MySQL Snort database as input sources. Snortsnarf will list alerts by priority and provide the signature, number of sources, and number of destinations for each signature. Another page ranks the top 20 source IP addresses, the number of total alerts it generated, the number of signatures triggered, and the target destination addresses. Snortsnarf also ranks the top 20 destination IP addresses.
SnortALog is a Perl script that summarizes logs and produces statistics and graphs in either ASCII, PDF, or HTML format. SnortALog can analyze Snort's logs in all formats (Syslog, Fast, and Full alerts). It can also summarize Check Point FW-1 (NG and 4.1), Netfilter, and IPFilter logs. You can use either the command-line interface or the GUI to produce the specific reports you need. SnortALog produces various statistics and graphs, including distribution of events by hour and day; distribution of events by destination port, protocol, and type of log; popularity of a single source or destination host; events to and from a single host with the same method; events grouped by attack; distribution of attack methods; and more. Learn more about SnortALog in Recipe 6.7 (6.7).
See Also
http://www.snort.org/dl/contrib/data_analysis/
Cron manpage
Recipe 5.4
Recipe 5.5
Recipe 6.7
Generating Statistical Output from Snort Databases |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index