Problem
You want to view alert statistics quickly and efficiently.
Solution
Use Cerebus, a text-based alert browser and analyzer. Installing Cerebus is easy: just download the executable file and run it! No installation is necessary. At the time of this writing, the latest standalone version of Cerebus is 1.4. To execute Cerebus on Windows, just double-click the cerebus-win32-v1-4.exe file. This will open the GUI viewer. You may be asked for the location of the sid-msg.map file, which is located in the C:Snortetc directory by default. Once the GUI is open, you must choose FileOpen/Merge Alert Files to locate and open your unified output log. You will then be able to view, browse, sort, and manipulate alerts (Figure 6-6).
Figure 6-6. Cerebus for Windows
To install Cerebus on Unix, you will need to change permissions on the downloaded file to make it executable:
[root@localhost root]# chmod u+x cerebus-linux-v1.4
To run Cerebus on Unix, you must use the following command-line syntax to specify the location of the alert file and the sid-msg.map file:
[root@localhost root]# ./cerebus-linux-v1.4 /var/log/snort/snort.alert.1092356570 ./etc/sid-msg.map
You will then be able to view, browse, sort, and manipulate alerts in a Unix text window (Figure 6-7).
Figure 6-7. Cerebus for Unix
Discussion
Cerebus is a text-based alert file browser and data correlator for Snort alerts in the unified output format. It runs on Windows, Linux, and OpenBSD. Cerebus is a standalone program with an embedded database for loading multiple Snort alert files and making real-time queries. It also allows you to quickly remove unwanted alerts for easy browsing. It was developed to efficiently process large amounts of IDS data.
The latest version of Cerebus at the time of this writing is the Win32 V1.4L Beta, which is a bundled installer that includes Cerebus 1.4L, Snort Win32 CVS 1.9 beta, and WinPcap 3.0 beta. It works on Windows 2000 and XP. This creates the Cerebus executable and also installs Snort and Winpcap. It creates executables with the appropriate parameters to run Snort in sniffer mode or IDS mode.
See Also
http://dragos.com/cerebus/
Creating HTML Log Analysis Output |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index