Installing and Configuring Snortsnarf

Problem

You want to use Snortsnarf to analyze your Snort alert output.

Solution

Install Snortsnarf by using the following command:

[root@localhost root]# tar zxvf SnortSnarf-021111.1.tar.gz

Install the Time::ParseDate Perl module by downloading it and compiling it manually, or by using the following command:

[root@localhost root]# cd SnortSnarf-021111.1

[root@localhost SnortSnarf-021111.1]# perl -MCPAN -e 'install 

Time::ParseDate'

Next, make a directory in which to store the module and copy the files:

[root@localhost SnortSnarf-021111.1]# mkdir ./include/SnortSnarf/Time

[root@localhost SnortSnarf-021111.1]# cp /usr/lib/perl5/site_perl/

5.8.0/Time/*.* ./include/SnortSnarf/Time

Next, you can run Snortsnarf to analyze your alerts file by using the following:

[root@localhost SnortSnarf-021111.1]# ./snortsnarf.pl /var/log/snort

/alert

The output will be created in the snfout.alert directory in your current directory. Use a web browser to open the index.html file located within that directory (Figure 5-15). You may use the -d command-line option to specify an output directory, such as your /www directory.

Figure 5-15. Snortsnarf start page

You can also run Snortsnarf to analyze alerts in a MySQL Snort database by using the following:

[root@localhost SnortSnarf-021111.1]# ./snortsnarf.pl snort@localhost

The database input is specified in the form user:passwd@dbname@host:port. The @dbname parameter is optional and defaults to a database name of snort. The :port parameter is also optional and defaults to 3306. If you do not supply a password, you are prompted to enter it.

Discussion

Snortsnarf is a Perl script that takes one or more Snort input sources and converts the information into web pages. You can use the Snort alert files or a MySQL Snort database as input sources. The following command will show usage and help information:

[root@localhost root]# ./snortsnarf.pl -usage

To use Snortsnarf to read alerts from a MySQL database, you will need to download and compile the DBI and MySQL Perl modules:

[root@localhost SnortSnarf]# perl -MCPAN -e 'install DBI'

You must stop the MySQL database and restart it without grant tables. This starts the database so that the automatic script can log in as root without a password. Once you have completed the install for the MySQL Perl module, you must stop and restart the MySQL database.

[root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql stop

[root@localhost SnortSnarf-021111.1]# /usr/local/mysql/bin/mysqld_safe

 --skip-grant-tables &

[root@localhost SnortSnarf-021111.1]# perl -MCPAN -e 'install Mysql'

[root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql stop

[root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql start

You can download the latest SnortDBInput module from http://www.bus.utexas.edu/services/cbacc/dbsupport/snortdbinput. Save the SnortDBInput-version.pm file to the directory /root/SnortSnarf-021111.1/include/SnortSnarf. Next, use the following commands to replace the old SnortDBInput module:

[root@localhost SnortSnarf]# rm SnortDBInput.pm

rm: remove regular file `SnortDBInput.pm'? y

[root@localhost SnortSnarf]# mv SnortDBInput-0.3.pm SnortDBInput.pm

 

See Also

http://www.bus.utexas.edu/services/cbacc/dbsupport/snortdbinput

http://www.snort.org/dl/contrib/data_analysis/snortsnarf/

Running Snortsnarf Automatically

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index

show all menu



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net