Generating Text-Based Log Analysis

Problem

You want to view alert statistics quickly and efficiently.

Solution

Use Cerebus, a text-based alert browser and analyzer. Installing Cerebus is easy: just download the executable file and run it! No installation is necessary. At the time of this writing, the latest standalone version of Cerebus is 1.4. To execute Cerebus on Windows, just double-click the cerebus-win32-v1-4.exe file. This will open the GUI viewer. You may be asked for the location of the sid-msg.map file, which is located in the C:Snortetc directory by default. Once the GUI is open, you must choose FileOpen/Merge Alert Files to locate and open your unified output log. You will then be able to view, browse, sort, and manipulate alerts (Figure 6-6).

Figure 6-6. Cerebus for Windows

To install Cerebus on Unix, you will need to change permissions on the downloaded file to make it executable:

[root@localhost root]# chmod u+x cerebus-linux-v1.4

To run Cerebus on Unix, you must use the following command-line syntax to specify the location of the alert file and the sid-msg.map file:

[root@localhost root]# ./cerebus-linux-v1.4 /var/log/snort/snort.alert.1092356570 ./etc/sid-msg.map

You will then be able to view, browse, sort, and manipulate alerts in a Unix text window (Figure 6-7).

Figure 6-7. Cerebus for Unix

 

Discussion

Cerebus is a text-based alert file browser and data correlator for Snort alerts in the unified output format. It runs on Windows, Linux, and OpenBSD. Cerebus is a standalone program with an embedded database for loading multiple Snort alert files and making real-time queries. It also allows you to quickly remove unwanted alerts for easy browsing. It was developed to efficiently process large amounts of IDS data.

The latest version of Cerebus at the time of this writing is the Win32 V1.4L Beta, which is a bundled installer that includes Cerebus 1.4L, Snort Win32 CVS 1.9 beta, and WinPcap 3.0 beta. It works on Windows 2000 and XP. This creates the Cerebus executable and also installs Snort and Winpcap. It creates executables with the appropriate parameters to run Snort in sniffer mode or IDS mode.

See Also

http://dragos.com/cerebus/

Creating HTML Log Analysis Output
Related

Категории