SnortAlog : TippingPoint log Analyzer

Number of visitors:

Latest version: 2.4.3

SnortALog: IDS/IPS and Firewall Log Analyser

Information
What is SnortALog
Features
Log Compatibility
Changelog
Screen Shots
Reports
Requirements

Downloads
Download Section
Additional Files

Development
SnortALog Code

Support
Usage
Examples
Documentation

Logs
Snort
CheckPoint
Pix
NetScreen
Brick
NetFilter
IPFilter
PacketFilter
TippingPoint

Donate
Support SnortALog
My CV

TIPPINGPOINT Syslog Events Record Format

Column	Definition	Description
1	Defined Syslog facility, and Action Type : 7 is Permit 8 is Block 9 is P2P	[YEAR]-[MONTH]-[DAY] [HOUR]:[MIN]:[SES] [TP or SMS Device IP] [ACTION]
2	Severity : 0 is Normal 1 is Low 2 is Minor 4 is Critical	[SEVERITY]
3	Policy UUID	===
4	Signature UUID	===
5	Signature Friendly Name	[SIG]
6	Signature Number
7	Signature Protocol, IP, UDP, TCP, HTTP, and so on	[PROTO]
8	Source Address	[SADDR]
9	Source Port	[SPORT]
10	Destination Address	[DADDR]
11	Destination Port	[DPORT]
12	Hit Count	===
13	Device Slot, must be 3,5,7 or 8	[ETHER]
14	Device Segment	[ETHER]
15	Device Friendly Name of the device event was received	[HOST]
16	Category ID assigned to Signature	===
17	Event timestamp in milliseconds	===

TIPPINGPOIINT Syslog Events Record Example

Log 1: 2010-12-20 10:36:42 Local0.Notice 7,1,00000002-0002-0002-0002-000000000164,00000001-0001-0001-0001-000000000164,0164: ICMP: Echo Request (Ping),164,icmp,AAA.BBB.CCC.DDD,0,AAA.BBB.CCC.DDD,0,10,3,2,HOST_TippingPoint,84151549,1269132481073,4
Log 2: 2010-12-20 10:36:42 Local0.Notice 7,1,00000002-0002-0002-0002-000000001221,00000001-0001-0001-0001-000000001221,1221: SNMP: 'public' Access,1221,snmp,AAA.BBB.CCC.DDD,35473,AAA.BBB.CCC.DDD,161,1,3,2,HOST_TippingPoint,67446269,1269132481073,5
Log 3: 2010-12-20 10:36:42 Local0.Notice 7,1,00000002-0002-0002-0002-000000006899,00000001-0001-0001-0001-000000006899,6899: SSL: Certificate Using MD5 With RSA,6899,tcp,AAA.BBB.CCC.DDD,443,AAA.BBB.CCC.DDD,57653,1,3,2,HOST_TippingPoint,67447037,1269132527095,8
Log 4: 2010-12-20 10:36:42 Local0.Notice 7,1,00000002-0002-0002-0002-000000006924,00000001-0001-0001-0001-000000006924,6924: DNS: NXDOMAIN Response,6924,udp,AAA.BBB.CCC.DDD,1117,AAA.BBB.CCC.DDD,53,1,3,2,HOST_TippingPoint,67438588,1269132614060,24
Log 5: 2010-12-20 10:36:43 Local0.Warning 7,2,d1cc4780-0206-11e0-40f5-0329cfa0e502,00000001-0001-0001-0001-000000000819,0819: HTTP: admin.pl Access,819,http,AAA.BBB.CCC.DDD,53408,AAA.BBB.CCC.DDD,80,1,3,1,HOST_TippingPoint,84085757,1291910083056,18456
Log 6: 2010-12-20 10:36:43 Local0.Notice 7,1,d1cdce24-0206-11e0-40f5-0329cfa0e502,00000001-0001-0001-0001-000000004691,4691: HTTP: Adobe Macromedia Flash Download,4691,tcp,AAA.BBB.CCC.DDD,80,AAA.BBB.CCC.DDD,49393,6,3,1,HOST_TippingPoint,67308289,1291910096028,18457
Log 7: 2010-12-20 10:36:43 Local0.Notice 7,1,d1cf7bf5-0206-11e0-40f5-0329cfa0e502,00000001-0001-0001-0001-000000008061,8061: HTTP: HTTP Proxy Connect Attempt,8061,http,AAA.BBB.CCC.DDD,51365,AAA.BBB.CCC.DDD,8080,18,3,1,HOST_TippingPoint,67439612,1291910118000,18459
Log 8: 2010-12-20 10:36:43 Local0.Error 8,3,00000002-0002-0002-0002-000000001328,00000001-0001-0001-0001-000000001328,1328: HTTP: viewcode.jse Exploit,1328,http,AAA.BBB.CCC.DDD,17104,AAA.BBB.CCC.DDD,80,1,3,1,HOST_TippingPoint,17107965,1291996675019,19737
Log 9: 2010-12-20 16:37:27 Local0.Warning 8,2,00000002-0002-0002-0002-000000001079,00000001-0001-0001-0001-000000001079,1079: HTTP: IIS .htw Exploit,1079,http,AAA.BBB.CCC.DDD,23537,AAA.BBB.CCC.DDD,80,3,3,1,HOST_TippingPoint,17107787,1292859421033,25434
Log 10: 2010-12-20 16:39:29 Local0.Notice 7,1,d1cc6eb7-0206-11e0-40f5-0329cfa0e502,00000001-0001-0001-0001-000000001064,1064: HTTP: IIS msadcs.dll Access,1064,http,AAA.BBB.CCC.DDD,23641,AAA.BBB.CCC.DDD,80,1,3,1,HOST_TippingPoint,84085579,1292859450053,25435