You want to view alerts and data analysis in real time.
Use the Snort Alert Monitor (SAM) to view alerts and data analysis in real time. At the time of this writing, the latest version is sam_20040323_bin.zip. Use the following steps to install SAM on Windows:
C:SAM>java -jar sam.jar
Figure 6-4. SAM authentication
Figure 6-5. SAM main window
Use the following steps to install SAM on Linux:
[root@localhost root]# chmod a+x j2re-1_4_2_05-linux-i586-rpm.bin [root@localhost root]# ./j2re-1_4_2_05-linux-i586-rpm.bin [root@localhost root]# rpm -Uvh j2re-1_4_2_05-linux-i586.rpm
[root@localhost root]# mkdir SAM [root@localhost root]# cd SAM [root@localhost SAM]# unzip ../sam_20040323_bin.zip [root@localhost SAM]# /usr/java/j2re1.4.2_05/bin/java -jar sam.jar
SAM is a real-time monitor for Snort alerts. It runs on Windows, Unix, and Mac OS. SAM provides a high-level overview of the status of your environment. For example, if you are attacked 150 times in a five minute period, you might choose to receive an alert either on screen with a large stoplight graphic, through an alert sound, or via email. SAM is a nice addition to your Snort/ACID environment. To troubleshoot SAM, click on the SAM log tab for status and information.
There are a few prerequisites to running SAM:
You may want to edit the settings in the /conf/sam.properties file, particularly the email settings. Email is disabled by default. If you want to have this feature, you must enable it by setting the email.active variable to true and configuring the email server, sender, and receiver. The email.to variable can contain multiple, comma-separated email addresses. Emails are set only when the alertlevel.high variable is triggered. This parameter classifies the number of alerts that are received during a five minute period. You will also want to change the DatabaseUID variable to something more relevant to your environment than the default Mike's House. The mainpanel.refresh variable determines the number of minutes between refreshing the main display and graphs.
#Tue Mar 23 14:45:59 CST 2004 firstname.lastname@example.org LogFileLogger.LogFile=log/sam.log email.host=your.smtp.server.com email@example.com AttackColumns=9,3,0,10,8,2 alertlevel.medium=100 DatabaseUID=Mike's House Lookup-Threshhold=0.25 DisableLookup=false alertlevel.high=150 mainpanel.refresh=5 DatabaseType=MySQL DataSource=Local-Host email.active=false
To log in, you must have the following information:
The database ID that is configured in the sam.properties file.
The type of database to which you are connecting. MySQL and PostgreSQL are currently supported.
The hostname of the system with the Snort database and the port on which the database is listening.
The name of the Snort database.
The username to access the Snort database.
The password for the username.
Generating Text Based Log Analysis
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance