You want to use Snortsnarf to analyze your Snort alert output.
Install Snortsnarf by using the following command:
[root@localhost root]# tar zxvf SnortSnarf-021111.1.tar.gz
Install the Time::ParseDate Perl module by downloading it and compiling it manually, or by using the following command:
[root@localhost root]# cd SnortSnarf-021111.1 [root@localhost SnortSnarf-021111.1]# perl -MCPAN -e 'install Time::ParseDate'
Next, make a directory in which to store the module and copy the files:
[root@localhost SnortSnarf-021111.1]# mkdir ./include/SnortSnarf/Time [root@localhost SnortSnarf-021111.1]# cp /usr/lib/perl5/site_perl/ 5.8.0/Time/*.* ./include/SnortSnarf/Time
Next, you can run Snortsnarf to analyze your alerts file by using the following:
[root@localhost SnortSnarf-021111.1]# ./snortsnarf.pl /var/log/snort /alert
The output will be created in the snfout.alert directory in your current directory. Use a web browser to open the index.html file located within that directory (Figure 5-15). You may use the -d command-line option to specify an output directory, such as your /www directory.
Figure 5-15. Snortsnarf start page
You can also run Snortsnarf to analyze alerts in a MySQL Snort database by using the following:
[root@localhost SnortSnarf-021111.1]# ./snortsnarf.pl snort@localhost
The database input is specified in the form user:passwd@dbname@host:port. The @dbname parameter is optional and defaults to a database name of snort. The :port parameter is also optional and defaults to 3306. If you do not supply a password, you are prompted to enter it.
Snortsnarf is a Perl script that takes one or more Snort input sources and converts the information into web pages. You can use the Snort alert files or a MySQL Snort database as input sources. The following command will show usage and help information:
[root@localhost root]# ./snortsnarf.pl -usage
To use Snortsnarf to read alerts from a MySQL database, you will need to download and compile the DBI and MySQL Perl modules:
[root@localhost SnortSnarf]# perl -MCPAN -e 'install DBI'
You must stop the MySQL database and restart it without grant tables. This starts the database so that the automatic script can log in as root without a password. Once you have completed the install for the MySQL Perl module, you must stop and restart the MySQL database.
[root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql stop [root@localhost SnortSnarf-021111.1]# /usr/local/mysql/bin/mysqld_safe --skip-grant-tables & [root@localhost SnortSnarf-021111.1]# perl -MCPAN -e 'install Mysql' [root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql stop [root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql start
You can download the latest SnortDBInput module from http://www.bus.utexas.edu/services/cbacc/dbsupport/snortdbinput. Save the SnortDBInput-version.pm file to the directory /root/SnortSnarf-021111.1/include/SnortSnarf. Next, use the following commands to replace the old SnortDBInput module:
[root@localhost SnortSnarf]# rm SnortDBInput.pm rm: remove regular file `SnortDBInput.pm'? y [root@localhost SnortSnarf]# mv SnortDBInput-0.3.pm SnortDBInput.pm
Running Snortsnarf Automatically
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance