Number of visitors:
Latest version: 2.4.3
 

SnortALog: IDS/IPS and Firewall Log Analyser
 

Information
What is SnortALog
Features
Changelog
Screen Shots
Reports
Requirements

Downloads
Download Section
Additional Files

Development
SnortALog Code

Support
Usage
Examples
Documentation

Logs
Snort
CheckPoint
Pix
NetScreen
Brick
NetFilter
IPFilter
PacketFilter
TippingPoint

Donate
Support SnortALog
My CV
Expected SNORT logs
 
SNORT syslog alert
Log 1: Jan 19 16:18:40 HOST_SNORT snort: [116:55:1] (snort_decoder): Truncated Tcp Options {TCP} AAA.BBB.CCC.DDD:80 -> AAA.BBB.CCC.DDD:1589
Log 2: Jan 19 16:18:40 HOST_SNORT snort: [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING {TCP} AAA.BBB.CCC.DDD:23564 -> AAA.BBB.CCC.DDD:80
Log 3: Jan 19 16:18:40 HOST_SNORT snort: [1:2307:1] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority:1]: {TCP} AAA.BBB.CCC.DDD:55023 -> AAA.BBB.CCC.DDD:80
Log 4: Jan 19 16:18:40 HOST_SNORT snort: [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING {TCP} AAA.BBB.CCC.DDD:55053 -> AAA.BBB.CCC.DDD:80
Log 5: Jan 19 16:18:40 HOST_SNORT snort: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} AAA.BBB.CCC.DDD:49065 -> AAA.BBB.CCC.DDD:80
Log 6: Jan 19 16:18:40 HOST_SNORT snort: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} AAA.BBB.CCC.DDD:57696 -> AAA.BBB.CCC.DDD:80
Log 7: Jan 19 16:18:41 HOST_SNORT snort: [1:2307:1] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority:1]: {TCP} AAA.BBB.CCC.DDD:55083 -> AAA.BBB.CCC.DDD:80
Log 8: Jan 19 16:18:41 HOST_SNORT snort: [119:14:1] (http_inspect) NON-RFC DEFINED CHAR {TCP} AAA.BBB.CCC.DDD:49082 -> AAA.BBB.CCC.DDD:80
Log 9: Jan 19 16:18:41 HOST_SNORT snort: [119:14:1] (http_inspect) NON-RFC DEFINED CHAR {TCP} AAA.BBB.CCC.DDD:4861 -> AAA.BBB.CCC.DDD:80
Log 10: Jan 19 16:18:41 HOST_SNORT snort: [1:2003:2] MS-SQL Worm propagation attempt[Classification: Misc Attack] [Priority: 2]: {UDP} AAA.BBB.CCC.DDD:10000 -> AAA.BBB.CCC.DDD:1434
Log 11: Jan 19 16:18:42 HOST_SNORT snort: [119:14:1] (http_inspect) NON-RFC DEFINED CHAR {TCP} AAA.BBB.CCC.DDD:33596 -> AAA.BBB.CCC.DDD:80
Log 12: Jan 19 16:18:42 HOST_SNORT snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {TCP} AAA.BBB.CCC.DDD:2188 -> AAA.BBB.CCC.DDD:1080
Log 13: Jan 19 16:18:42 HOST_SNORT snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} AAA.BBB.CCC.DDD:1594 -> AAA.BBB.CCC.DDD:1434
Log 14: Jan 19 16:18:42 HOST_SNORT snort: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} AAA.BBB.CCC.DDD:57711 -> AAA.BBB.CCC.DDD:80
Log 15: Jan 19 16:18:42 HOST_SNORT snort: [119:14:1] (http_inspect) NON-RFC DEFINED CHAR {TCP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD:80
Log 16: Jan 19 16:18:43 HOST_SNORT snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
Log 17: Jan 19 16:18:43 HOST_SNORT snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
Log 18: Jan 19 16:18:43 HOST_SNORT snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
 
SNORT syslog alert with interface
Log 1: Jan 19 16:22:08 HOST_SNORT snort: [1:615:4] SCAN SOCKS Proxy attempt [Classification: Attempted Information Leak] [Priority: 2]: {TCP} AAA.BBB.CCC.DDD:4967 -> AAA.BBB.CCC.DDD:1080
Log 2: Jan 19 16:22:09 HOST_SNORT snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} AAA.BBB.CCC.DDD:1055 -> AAA.BBB.CCC.DDD:1434
Log 3: Jan 19 16:22:09 HOST_SNORT snort: [119:14:1] (http_inspect) NON-RFC DEFINED CHAR {TCP} AAA.BBB.CCC.DDD:60126 -> AAA.BBB.CCC.DDD:80
Log 4: Jan 19 16:22:09 HOST_SNORT snort: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} AAA.BBB.CCC.DDD:32233 -> AAA.BBB.CCC.DDD:80
Log 5: Jan 19 16:22:09 HOST_SNORT snort: [1:2307:1] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority:1]: {TCP} AAA.BBB.CCC.DDD:43947 -> AAA.BBB.CCC.DDD:80
Log 6: Jan 19 16:22:10 HOST_SNORT snort: [1:2307:1] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority:1]: {TCP} AAA.BBB.CCC.DDD:60145 -> AAA.BBB.CCC.DDD:80
Log 7: Jan 19 16:22:10 HOST_SNORT snort: [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING {TCP} AAA.BBB.CCC.DDD:56917 -> AAA.BBB.CCC.DDD:80
Log 8: Jan 19 16:22:11 HOST_SNORT snort: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER {TCP} AAA.BBB.CCC.DDD:51620 -> AAA.BBB.CCC.DDD:80
Log 9: Jan 19 16:22:11 HOST_SNORT snort: [1:615:4] SCAN SOCKS Proxy attempt [Classification: Attempted Information Leak] [Priority: 2]: {TCP} AAA.BBB.CCC.DDD:4967 -> AAA.BBB.CCC.DDD:1080
Log 10: Jan 19 16:22:11 HOST_SNORT snort: [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING {TCP} AAA.BBB.CCC.DDD:57155 -> AAA.BBB.CCC.DDD:80
Log 11: Jan 19 16:22:12 HOST_SNORT snort: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} AAA.BBB.CCC.DDD:10310 -> AAA.BBB.CCC.DDD:80
Log 12: Jan 19 16:22:12 HOST_SNORT snort: [1:615:4] SCAN SOCKS Proxy attempt [Classification: Attempted Information Leak] [Priority: 2]: {TCP} AAA.BBB.CCC.DDD:4899 -> AAA.BBB.CCC.DDD:1080
Log 13: Jan 19 16:22:12 HOST_SNORT snort: [119:14:1] (http_inspect) NON-RFC DEFINED CHAR {TCP} AAA.BBB.CCC.DDD:34169 -> AAA.BBB.CCC.DDD:80
Log 14: Jan 19 16:22:13 HOST_SNORT snort: [119:14:1] (http_inspect) NON-RFC DEFINED CHAR {TCP} AAA.BBB.CCC.DDD:2498 -> AAA.BBB.CCC.DDD:80
Log 15: Jan 19 16:22:13 HOST_SNORT snort: [119:14:1] (http_inspect) NON-RFC DEFINED CHAR {TCP} AAA.BBB.CCC.DDD:34305 -> AAA.BBB.CCC.DDD:80
Log 16: Jan 19 16:22:14 HOST_SNORT snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
 
SNORT fast alert
Log 1: 01/07-14:43:52.587754 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] {TCP} AAA.BBB.CCC.DDD:5927 -> AAA.BBB.CCC.DDD:80
Log 2: 01/07-14:43:52.694357 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] {TCP} AAA.BBB.CCC.DDD:33948 -> AAA.BBB.CCC.DDD:80
Log 3: 01/07-14:43:53.767513 [**] [1:499:3] ICMP Large ICMP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
Log 4: 01/07-14:43:53.908532 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] {TCP} AAA.BBB.CCC.DDD:56012 -> AAA.BBB.CCC.DDD:80
Log 5: 01/07-14:43:54.060109 [**] [1:499:3] ICMP Large ICMP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
Log 6: 01/07-14:43:54.160016 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] {TCP} AAA.BBB.CCC.DDD:4294 -> AAA.BBB.CCC.DDD:80
Log 7: 01/07-14:43:54.395210 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] {TCP} AAA.BBB.CCC.DDD:59877 -> AAA.BBB.CCC.DDD:80
Log 8: 01/07-14:43:54.968621 [**] [1:2307:1] WEB-PHP PayPal Storefront arbitrary command execution attempt [**] [Classification: Web Application Attack][Priority: 1] {TCP} AAA.BBB.CCC.DDD:45657 -> AAA.BBB.CCC.DDD:80
Log 9: 01/07-14:43:55.098308 [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] {ICMP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
Log 10: 01/07-14:43:55.213158 [**] [1:1417:2] SNMP request udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} AAA.BBB.CCC.DDD:52343 -> AAA.BBB.CCC.DDD:161
Log 11: 01/07-14:43:55.468081 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] {TCP} AAA.BBB.CCC.DDD:38043 -> AAA.BBB.CCC.DDD:80
Log 12: 01/07-14:43:57.194970 [**] [1:2307:1] WEB-PHP PayPal Storefront arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} AAA.BBB.CCC.DDD:1669 -> AAA.BBB.CCC.DDD:80
Log 13: 01/07-14:43:57.256372 [**] [1:2307:1] WEB-PHP PayPal Storefront arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} AAA.BBB.CCC.DDD:1670 -> AAA.BBB.CCC.DDD:80
Log 14: 01/07-14:43:57.679360 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] {TCP} AAA.BBB.CCC.DDD:4339 -> AAA.BBB.CCC.DDD:80
Log 15: 01/07-14:43:57.716392 [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] {ICMP} AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
Log 16: 01/07-14:43:57.769957 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] {TCP} AAA.BBB.CCC.DDD:4340 -> AAA.BBB.CCC.DDD:80
Log 17: 01/07-14:43:58.722508 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] {TCP} AAA.BBB.CCC.DDD:59898 -> AAA.BBB.CCC.DDD:80
Log 18: 01/07-14:43:58.799836 [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] {TCP} AAA.BBB.CCC.DDD:45823 -> AAA.BBB.CCC.DDD:80
 
SNORT full alert
Log 1:
[**] [1:1417:2] SNMP request udp [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/06-13:58:51.325191 AAA.BBB.CCC.DDD:34738 -> AAA.BBB.CCC.DDD:161
UDP TTL:253 TOS:0x0 ID:13274 IpLen:20 DgmLen:157 DF
Len: 129
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012]
Log 2:
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/06-13:53:02.671446 AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
ICMP TTL:90 TOS:0x0 ID:2670 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:59153 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
Log 3:
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
01/06-13:54:05.199691 AAA.BBB.CCC.DDD:62156 -> AAA.BBB.CCC.DDD:80
TCP TTL:62 TOS:0x0 ID:52020 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x8C09D264 Ack: 0x527BB95E Win: 0x2238 TcpLen: 32
TCP Options (3) => NOP NOP TS: 12770095 58507
Log 4:
[**] [1:2307:1] WEB-PHP PayPal Storefront arbitrary command execution attempt [**]
[Classification: Web Application Attack] [Priority: 1]
01/06-13:54:04.401463 AAA.BBB.CCC.DDD:22023 -> AAA.BBB.CCC.DDD:80
TCP TTL:61 TOS:0x0 ID:39349 IpLen:20 DgmLen:355
***AP*** Seq: 0xAE1AF5FA Ack: 0x7ED810E7 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 9362333 274702311
[Xref => http://www.securityfocus.com/bid/8791][Xref => http://cgi.nessus.org/plugins/dump.php3?id=11873]
 
SNORT full alert with Interface
Log 1:
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
01/16-14:40:35.353241 AAA.BBB.CCC.DDD:33478 -> AAA.BBB.CCC.DDD:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:106
***AP*** Seq: 0x804AF2DF Ack: 0x3061FFC7 Win: 0x16D0 TcpLen: 20
Log 2:
[**] [1:2274:1] POP3 login brute force attempt [**]
[Classification: An attempted login using a suspicious username was detected] [Priority: 2]
01/16-14:48:16.763825 AAA.BBB.CCC.DDD:33663 -> AAA.BBB.CCC.DDD:110
TCP TTL:64 TOS:0x0 ID:46834 IpLen:20 DgmLen:74 DF
***AP*** Seq: 0xA10E020F Ack: 0xED46058A Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1291491 925414768
Log 3:
[**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/16-15:38:17.652364 AAA.BBB.CCC.DDD:80 -> AAA.BBB.CCC.DDD:33796
TCP TTL:114 TOS:0x0 ID:11570 IpLen:20 DgmLen:398 DF
***AP*** Seq: 0x3146A645 Ack: 0x5D1A0CEB Win: 0xFAF0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 15728304 1591586
Log 4:
[**] [1:1560:4] WEB-MISC /doc/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
01/16-16:27:27.831581 AAA.BBB.CCC.DDD:33932 -> AAA.BBB.CCC.DDD:80
TCP TTL:64 TOS:0x0 ID:57581 IpLen:20 DgmLen:560 DF
***AP*** Seq: 0x16202966 Ack: 0xB4CE8C70 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1886611 369328338
[Xref => http://www.securityfocus.com/bid/318][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678]
 
SNORT full alert with MAC Address
Log 1:
[**] [1:620:2] SCAN Proxy (8080) attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
02/25-11:32:05.147064 8:0:3E:0:1:AF -> 1:0:5E:12:80:8 type:0x800 len:0x3E
AAA.BBB.CCC.DDD:1070 -> AAA.BBB.CCC.DDD:8080 TCP TTL:63 TOS:0x0 ID:771 IpLen:20 DgmLen:48
******S* Seq: 0x462CD96B Ack: 0x0 Win: 0xAE4C TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
Log 2:
[**] [1:1415:2] SNMP Broadcast request [**]
[Classification: Attempted Information Leak] [Priority: 2]
02/25-11:32:43.332905 0:50:4:EC:12:1A -> FF:FF:FF:FF:FF:FF type:0x800 len:0x62
AAA.BBB.CCC.DDD:1029 -> AAA.BBB.CCC.DDD:161 UDP TTL:128 TOS:0x0 ID:7680 IpLen:20 DgmLen:84
Len: 56
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012]
Log 3:
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from AAA.BBB.CCC.DDD (THRESHOLD 4 connections exceeded in 0 seconds) [**]
02/25-11:48:50.296493
Log 4:
[**] [100:2:1] spp_portscan: portscan status from AAA.BBB.CCC.DDD: 791 connections across 1 hosts: TCP(791), UDP(0) [**]
02/25-11:48:54.642665
Log 5:
[**] [100:3:1] spp_portscan: End of portscan from AAA.BBB.CCC.DDD: TOTAL time(2s) hosts(1) TCP(791) UDP(0) [**]
02/25-11:49:02.803625
 
  
 
 
Snort Perl Linux

powered by Jérémy Chartier
© SnortALog 2000-2011