|
|
What is SnortALog |
Snortalog is a powerful Perl script that summarizes Snort logs, making it easy to view any network attacks detected by Snort. It can generate charts in HTML, PDF, and text output. It works with all versions of Snort, and can analyze logs in three formats: syslog, fast, and full snort alerts.
Moreover, it is able to summarize other logs like CheckPoint Fw-1 (NG and 4.1), Netfilter, IPFilter, Packet Filter, CISCO PIX, JUNPIER NetScreen and Lucent BRICK in a similar way.
|
|
Why a Perl Script ??? |
There are several reasons why I choose to develop my program in perl. I have been working with SNORT for 5 years and I couldn't find any existing scripts that were able to report potentials attacks quickly.
My first goal was to generate a text output (ASCII) to provide many sorting and filtering statistics. Eventually, I improved my program to generate charts (HTML) for a best visualization and soon a GUI.
You may ask why not use a MySQL database or similar like ACID ??? As a member of SNORT's mailing list for a long time ago, I often read questions about this error "Fatal error: Maximum execution time of 180 seconds exceeded".
You can regularly purge your database but this task could prove tough for the administrator. Moreover, in a network with a lot of NIDS and several thousand log alerts, a request in a database will have a long response time.
The use of a script like SnortALog is more easier, efficient and appropriate. Do your own tests and send me your feedback :))
|
| |
|