You can redirect the log file to SnortALog as shown by the following shell command :
- cat logs.file | ./snortalog.pl -r -n 50
Why I did I not ask for a specific file name ?
Just for one reason (but a smart one :-). For daily logs rotation, I'm using the file name format file_yyyymmdd.log (Year, Month and Day). So it's easy for me to generate daily, weekly, monthly and yearly report without any file renaming operations.
Else, you can use the "-file" option to specify a log alert :
- ./snortalog.pl -file logs.file -r -n 50
The following options are available :
-x | Mode GUI |
-r | Resolve IP adresses |
-w | Consult Whois DataBase (Slow down process) |
-c | Resolve domains (Very slow process) |
-i | Inverse the result |
-d | Mode debug |
-n | Specify a number of line in the result |
-l | Specify an output language |
-o | Specify a HTML or PDF file |
-g | Graph output format |
-file | Specify an input alert log file |
-rulesfile | Specify name and directory to search rules file |
-hwfile | Specify name and directory to search hardware file |
-domainsfile | Specify name and directory to search domains file |
-langfile | Specify name and directory to search language file |
-pictsdir | Specify directory to search HTML pictures files |
-genref | Generate the reference rules file |
-help | View this help |
|
The following reports are available :
-src | Top IPs sources |
-dst | Top IPs destination |
-src_attack | Top IPs sources grouped by attack |
-dst_attack | Top IPs destination grouped by attack |
-src_dst_attack | Top alert grouped by IPs sources, Ips destination and attack |
-attack | Top attack |
-class | Top classification |
-severity | Top severity |
-daily_event | Top number of attack grouped by day |
-hour | Top number of attack grouped by hour |
-hour_attack | Top specific attack grouped by hour |
-dport | Top destination port |
-proto | Top protocols |
-dport_attack | Top destination port grouped by attack |
-nids | Top NIDS host |
-interfaces | Top interfaces events |
-domain_src | Top of domain source |
-portscan | Top of portscan alert |
-actions | Top of firewall action (DROP, REJECT, ACCEPT, etc ...) |
-rules | Top of rule (only Fw-1) |
-reasons | Top of reason (only Fw-1) |
-src_dport | Top IPs sources grouped by destination port |
-dst_dport | Top IPs destination grouped by destination port |
-typelog | Number of occurrences by type of log |
-hwlog | Number of occurrences by hardware related message log |
-report | All reports |
|
The following input logs are available :
-1 | Fast Snort's output log |
-2 | Syslog Snort's output log |
-3 | Full Snort's ouput log |
-4 | CheckPoint VPN-1's fwm logexport log |
-5 | CheckPoint VPN-1's syslog log |
-6 | Cisco Pix's log |
-7 | IPFilter's log |
-8 | NetFilter's log |
-9 | Barnyard's syslog log |
-10 | PacketFilter's log |
-11 | Lucent Brick's export log |
-12 | Barnyard's fast log |
-13 | Juniper NetScreen's syslog event |
-14 | CheckPoint VPN-1's fwm log -n |
-15 | CheckPoint VPN-1's fw tab -t connections -f -m 25000 |
|
|