You can redirect the log file to SnortALog as shown by the following shell command :
- cat logs.file | ./snortalog.pl -r -n 50
Why I did I not ask for a specific file name ?
Just for one reason (but a smart one :-). For daily logs rotation, I'm using the file name format file_yyyymmdd.log (Year, Month and Day). So it's easy for me to generate daily, weekly, monthly and yearly report without any file renaming operations.
Else, you can use the "-file" option to specify a log alert :
- ./snortalog.pl -file logs.file -r -n 50
The following options are available :
| -x | Mode GUI |
| -r | Resolve IP adresses |
| -w | Consult Whois DataBase (Slow down process) |
| -c | Resolve domains (Very slow process) |
| -i | Inverse the result |
| -d | Mode debug |
| -n | Specify a number of line in the result |
| -l | Specify an output language |
| -o | Specify a HTML or PDF file |
| -g | Graph output format |
| -file | Specify an input alert log file |
| -rulesfile | Specify name and directory to search rules file |
| -hwfile | Specify name and directory to search hardware file |
| -domainsfile | Specify name and directory to search domains file |
| -langfile | Specify name and directory to search language file |
| -pictsdir | Specify directory to search HTML pictures files |
| -genref | Generate the reference rules file |
| -help | View this help |
| |
The following reports are available :
| -src | Top IPs sources |
| -dst | Top IPs destination |
| -src_attack | Top IPs sources grouped by attack |
| -dst_attack | Top IPs destination grouped by attack |
| -src_dst_attack | Top alert grouped by IPs sources, Ips destination and attack |
| -attack | Top attack |
| -class | Top classification |
| -severity | Top severity |
| -daily_event | Top number of attack grouped by day |
| -hour | Top number of attack grouped by hour |
| -hour_attack | Top specific attack grouped by hour |
| -dport | Top destination port |
| -proto | Top protocols |
| -dport_attack | Top destination port grouped by attack |
| -nids | Top NIDS host |
| -interfaces | Top interfaces events |
| -domain_src | Top of domain source |
| -portscan | Top of portscan alert |
| -actions | Top of firewall action (DROP, REJECT, ACCEPT, etc ...) |
| -rules | Top of rule (only Fw-1) |
| -reasons | Top of reason (only Fw-1) |
| -src_dport | Top IPs sources grouped by destination port |
| -dst_dport | Top IPs destination grouped by destination port |
| -typelog | Number of occurrences by type of log |
| -hwlog | Number of occurrences by hardware related message log |
| -report | All reports |
| |
The following input logs are available :
| -1 | Fast Snort's output log |
| -2 | Syslog Snort's output log |
| -3 | Full Snort's ouput log |
| -4 | CheckPoint VPN-1's fwm logexport log |
| -5 | CheckPoint VPN-1's syslog log |
| -6 | Cisco Pix's log |
| -7 | IPFilter's log |
| -8 | NetFilter's log |
| -9 | Barnyard's syslog log |
| -10 | PacketFilter's log |
| -11 | Lucent Brick's export log |
| -12 | Barnyard's fast log |
| -13 | Juniper NetScreen's syslog event |
| -14 | CheckPoint VPN-1's fwm log -n |
| -15 | CheckPoint VPN-1's fw tab -t connections -f -m 25000 |
| |
|
