Installing and Configuring Snortsnarf

Problem

You want to use Snortsnarf to analyze your Snort alert output.

Solution

Install Snortsnarf by using the following command:

[root@localhost root]# tar zxvf SnortSnarf-021111.1.tar.gz

Install the Time::ParseDate Perl module by downloading it and compiling it manually, or by using the following command:

[root@localhost root]# cd SnortSnarf-021111.1 [root@localhost SnortSnarf-021111.1]# perl -MCPAN -e 'install Time::ParseDate'

Next, make a directory in which to store the module and copy the files:

[root@localhost SnortSnarf-021111.1]# mkdir ./include/SnortSnarf/Time [root@localhost SnortSnarf-021111.1]# cp /usr/lib/perl5/site_perl/ 5.8.0/Time/*.* ./include/SnortSnarf/Time

Next, you can run Snortsnarf to analyze your alerts file by using the following:

[root@localhost SnortSnarf-021111.1]# ./snortsnarf.pl /var/log/snort /alert

The output will be created in the snfout.alert directory in your current directory. Use a web browser to open the index.html file located within that directory (Figure 5-15). You may use the -d command-line option to specify an output directory, such as your /www directory.

Figure 5-15. Snortsnarf start page

You can also run Snortsnarf to analyze alerts in a MySQL Snort database by using the following:

[root@localhost SnortSnarf-021111.1]# ./snortsnarf.pl snort@localhost

The database input is specified in the form user:passwd@dbname@host:port. The @dbname parameter is optional and defaults to a database name of snort. The :port parameter is also optional and defaults to 3306. If you do not supply a password, you are prompted to enter it.

Discussion

Snortsnarf is a Perl script that takes one or more Snort input sources and converts the information into web pages. You can use the Snort alert files or a MySQL Snort database as input sources. The following command will show usage and help information:

[root@localhost root]# ./snortsnarf.pl -usage

To use Snortsnarf to read alerts from a MySQL database, you will need to download and compile the DBI and MySQL Perl modules:

[root@localhost SnortSnarf]# perl -MCPAN -e 'install DBI'

You must stop the MySQL database and restart it without grant tables. This starts the database so that the automatic script can log in as root without a password. Once you have completed the install for the MySQL Perl module, you must stop and restart the MySQL database.

[root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql stop [root@localhost SnortSnarf-021111.1]# /usr/local/mysql/bin/mysqld_safe --skip-grant-tables & [root@localhost SnortSnarf-021111.1]# perl -MCPAN -e 'install Mysql' [root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql stop [root@localhost SnortSnarf-021111.1]# /etc/init.d/mysql start

You can download the latest SnortDBInput module from http://www.bus.utexas.edu/services/cbacc/dbsupport/snortdbinput. Save the SnortDBInput-version.pm file to the directory /root/SnortSnarf-021111.1/include/SnortSnarf. Next, use the following commands to replace the old SnortDBInput module:

[root@localhost SnortSnarf]# rm SnortDBInput.pm rm: remove regular file `SnortDBInput.pm'? y [root@localhost SnortSnarf]# mv SnortDBInput-0.3.pm SnortDBInput.pm

See Also

http://www.bus.utexas.edu/services/cbacc/dbsupport/snortdbinput

http://www.snort.org/dl/contrib/data_analysis/snortsnarf/