Generating Text-Based Log Analysis


You want to view alert statistics quickly and efficiently.


Use Cerebus, a text-based alert browser and analyzer. Installing Cerebus is easy: just download the executable file and run it! No installation is necessary. At the time of this writing, the latest standalone version of Cerebus is 1.4. To execute Cerebus on Windows, just double-click the cerebus-win32-v1-4.exe file. This will open the GUI viewer. You may be asked for the location of the file, which is located in the C:Snortetc directory by default. Once the GUI is open, you must choose FileOpen/Merge Alert Files to locate and open your unified output log. You will then be able to view, browse, sort, and manipulate alerts (Figure 6-6).

Figure 6-6. Cerebus for Windows

To install Cerebus on Unix, you will need to change permissions on the downloaded file to make it executable:

[root@localhost root]# chmod u+x cerebus-linux-v1.4

To run Cerebus on Unix, you must use the following command-line syntax to specify the location of the alert file and the file:

[root@localhost root]# ./cerebus-linux-v1.4 

/var/log/snort/snort.alert.1092356570 ./etc/

You will then be able to view, browse, sort, and manipulate alerts in a Unix text window (Figure 6-7).

Figure 6-7. Cerebus for Unix



Cerebus is a text-based alert file browser and data correlator for Snort alerts in the unified output format. It runs on Windows, Linux, and OpenBSD. Cerebus is a standalone program with an embedded database for loading multiple Snort alert files and making real-time queries. It also allows you to quickly remove unwanted alerts for easy browsing. It was developed to efficiently process large amounts of IDS data.

The latest version of Cerebus at the time of this writing is the Win32 V1.4L Beta, which is a bundled installer that includes Cerebus 1.4L, Snort Win32 CVS 1.9 beta, and WinPcap 3.0 beta. It works on Windows 2000 and XP. This creates the Cerebus executable and also installs Snort and Winpcap. It creates executables with the appropriate parameters to run Snort in sniffer mode or IDS mode.

See Also

Creating HTML Log Analysis Output

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance


Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167 © 2008-2020.
If you may any questions please contact us: