Snortsnarf, Snort log file analysis
Results 1 to 5 of 5

Thread: Snortsnarf, Snort log file analysis

  1. #1
    Senior Member
    Join Date
    Jun 2002
    Posts
    148

    Snortsnarf, Snort log file analysis

    I have sucessfully installed and configured snortsnarf. This is suposed to produce HTML output from my log files in a more understandable format. I fed it a long file from

    ..\logs\127.0.0.1\TCP_3127-80.ids

    As it did its thing, it complained about unrecognized formats. Thus I am led to understand that the file I gave it for input is not a valid snort log file format, thus it does not know how to parse it.

    My Alert.ids is empty, though snort definately works. Snort starts with my computer with a program called IDS center. It issues all the DOS commands to get snort up and running without me haveing to. And I can start and stop snort with the click of a button. Snort runs with no errors, which I would asume means everything is ok.

    I think alert.ids is empty because non of the rules matched to flag a breakin yet. I tryed to use snot to generate excessive snort alerts, but failed, and I later discoverd that was because the new version of Snort has a fix for the snot atack.

    What are these TCP_xxxx-80.ids files, and what do they mean. And is there any way I can generate some alerts?

    I even tryed feeding Snot a ICMP rule file and it could not generate any alerts.
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  2. #2
    Junior Member
    Join Date
    Sep 2001
    Posts
    8
    The TCP_xxxx-80.ids files should be the indivual alerts themselves. The TCP is the protocol that was used. You might see UDP as well. The xxxx portion is the alert number from the particular IDS. In this case it is the 3,127th alert that your IDS has created. The 80 indicates the port that the attempt was made to. That is all I can pretty much tell you since I use ACID for my snort logs.

  3. #3
    Senior Member
    Join Date
    Jun 2002
    Posts
    148
    Thank you, it makes more sence now as to what those files are. I stoped useing snortsnarf and am now useing WinSnort2HTML for analizeing my logs, I looked into ACID but I dont have any database for it.

    I have determines why alert.ids was empty. After a few months of thinking snort was working, and haveing a empty alert.ids got me thinking. But since I used IDScenter and there were no errors in the overview section of IDScenter, I was led to believe snort was running quietly in the background. I noticed a button for test configuration, so I stoped snort, and tested my configuration, which then informed me there was a fata error, I had an invalid argument to one of the preprocessors, which I then dicovered was I had typed the argument list in the wrong format. I fix this and saved the configuraton. And now snort is loging to alert.ids
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    I would really consider looking into using ACID or Demarc. You will really appreciate taking the time to do it as it will give you much better log analysis, and will do it in real-time since it reads directly from a database. I would not worry about having a seperate database server or anything like that. Just use MySQL, it is easy and best of all, free.

    I don't know if this has been mentioned before here and it is slightly off topic, but for all windows geeks who would like to manage Snort policies via a nice GUI, check out the product at http://www.activeworx.com. I have had tons of people tell me they really like it. I tried it myself and have to admit, it is pretty good.

  5. #5
    Senior Member
    Join Date
    Jun 2002
    Posts
    148
    I have installed My SQL once, but my system has only 32MB of RAM, and running at 133MHz. I may try it again but the last time I tryed it slowed my computer to a point where every time it booted, it would crash.

    I cant seem to find anything to analize my logs that dont require any sort of database. I have PHP, but no database for it
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •