Generating Statistical Output from Snort Databases

Problem

You want to get statistic information from your Snort databases.

Solution

The best method of obtaining statistical information from Snort databases is to use ACID. ACID produces statistics information and charts based on time, sensor, signature, protocol, IP address, TCP/UDP ports, and alert classification. ACID offers a searchable web GUI and pulls the alert data from a database instead of an alert file.

Discussion

ACID is a great tool to use for viewing, analyzing, and graphing your Snort logs via a web page. It is a PHP-based analysis engine that searches and processes your IDS database logs. Some of its features include a search engine, packet viewer, alert management, and graphing and statistics generation. ACID provides a lot of different analysis and statistics information. The main page lists traffic by protocol and also lists the percentage of traffic that constitute port scans (Figure 6-2). The main page also lists the total number of alerts, total number of unique alerts, number of source IP addresses, number of destination IP addresses, number of source ports, and number of destination ports.

Figure 6-2. ACID main page

From the main page, you can choose from a variety of snapshot details to look at, such as: most recent alerts by protocol, today's alerts, alerts in the past 24 or 72 hours, latest source and destination ports, most frequent source and destination ports, most frequent alerts and most frequent addresses. Each snapshot can be filtered by various parameters including protocol, IP address, and port. You can also produce graphs (bar, line, and pie) for various parameters and time periods (see Figure 6-3).

Figure 6-3. ACID graphing

See Also

http://acidlab.sourceforge.net/

Recipe 5.6