Analyzing and Graphing Logs

Problem

You want to analyze attacks and produce graphs.

Solution

Use SnortALog to produce statistics and graphs of your Snort data.

The following command will generate a full set of reports in HTML format from your Snort alert logs (Figure 6-8):

[root@localhost snortalog_v2.2]# cat /var/log/snort/alert | ./snortalog.pl -r -i -h test.html -report

You can also use ACID to analyze and graph logs.

Figure 6-8. SnortALog main page

 

Discussion

SnortALog is a Perl script that summarizes logs and produces statistics and graphs in ASCII, PDF, or HTML format. SnortALog can analyze Snort's logs in all formats (Syslog, Fast, and Full alerts). It can also summarize Check Point FW-1 (NG and 4.1), Netfilter, and IPFilter logs. You can use either the command-line interface or the GUI to produce the specific reports you need. SnortALog produces various statistics and graphs, including distribution of events by hour and day; distribution of events by destination port, protocol, and type of log; popularity of a single source or destination host; events to and from a single host with the same method; events grouped by attack; and distribution of attack methods.

At the time of this writing, the latest version is 2.2.1. Make sure you install the necessary dependencies for the components of SnortALog that you want to use. Use the following commands to install SnortALog:

[root@localhost root]# tar zxvf snortalog_v2.2.1.tgz [root@localhost root]# cd snortalog_v2.2 [root@localhost snortalog_v2.2]# perl -MCPAN -e 'install DB_File'

SnortALog has several prerequisites for its various functions. To generate charts and graphs, you must install the following:

[root@localhost root]# tar zxvf gd-2.0.11.tar.gz [root@localhost root]# cd gd-2.0.11 [root@localhost gd-2.0.11]# ./configure [root@localhost gd-2.0.11]# make [root@localhost gd-2.0.11]# make install [root@localhost root]# tar zxvf GD-1.19.tar.gz [root@localhost root]# cd GD-1.19 [root@localhost GD-1.19]# perl Makefile.PL [root@localhost GD-1.19]# make [root@localhost GD-1.19]# make install [root@localhost root]# tar zxvf GDTextUtil-0.85.tar.gz [root@localhost root]# cd GDTextUtil-0.85 [root@localhost GDTextUtil-0.85]# perl Makefile.PL [root@localhost GDTextUtil-0.85]# make [root@localhost GDTextUtil-0.85]# make install [root@localhost root]# tar zxvf GDGraph-1.39.tar.gz [root@localhost root]# cd GDGraph-1.39 [root@localhost GDGraph-1.39]# perl Makefile.PL [root@localhost GDGraph-1.39]# make [root@localhost GDGraph-1.39]# make install

To generate PDF reports, you must install the following:

[root@localhost root]# tar zxvf htmldoc-1.8.23-source.tar.gz [root@localhost root]# cd htmldoc-1.8.23 [root@localhost htmldoc-1.8.23]# ./configure [root@localhost htmldoc-1.8.23]# make [root@localhost htmldoc-1.8.23]# make install [root@localhost root]# tar zxvf HTML-HTMLDoc-0.07.tar.gz [root@localhost root]# cd HTML-HTMLDoc-0.07 [root@localhost HTML-HTMLDoc-0.07]# perl Makefile.PL [root@localhost HTML-HTMLDoc-0.07]# make [root@localhost HTML-HTMLDoc-0.07]# make install

Finally, to use the GUI frontend, you must install the Tk Perl module. If you are not going to use these features, you must comment them out in the snortalog.pl file. Once you have SnortALog installed, you can view usage information by typing the following:

[root@localhost snortalog_v2.2]# ./snortalog.pl -help

ACID is a great tool to use for viewing, analyzing, and graphing your Snort logs via a web page. It is a PHP-based analysis engine that searches and processes your IDS database logs. Some of its features include a search engine, packet viewer, alert management, and graphing and statistics generation. ACID provides a lot of different analysis and statistics information. You can also produce graphs (bar, line, and pie) for various parameters and time periods.

See Also

http://jeremy.chartier.free.fr/snortalog/

Recipe 5.6

Recipe 6.2

Analyzing Sniffed (Pcap) Traffic

Категории