Snortalog 2.4.0 review
DownloadSnortalog is a powerful Perl script that summarizes Snort logs, making it easy to view any network attacks detected by Snort. It c
|
|
Snortalog is a powerful Perl script that summarizes Snort logs, making it easy to view any network attacks detected by Snort.
It can generate charts in HTML, PDF, and text output. Snortalog works with all versions of Snort, and can analyze logs in three formats: syslog, fast, and full snort alerts.
Moreover, it is able to summarize other logs like CheckPoint Fw-1 (NG and 4.1), Netfilter, IPFilter, Packet Filter, CISCO PIX, and Lucent BRICK in a similar way.
There are several reasons why I choose to develop my program in perl.
I have been working with SNORT for 5 years and I couldn't find any existing scripts that were able to report potentials attacks quickly.
My first goal was to generate a text output (ASCII) to provide many sorting and filtering statistics. Eventually, I improved my program to generate charts (HTML) for a best visualization and soon a GUI.
You may ask why not use a MySQL database or similar like ACID ??? As a member of SNORT's mailing list for a long time ago, I often read questions about this error "Fatal error: Maximum execution time of 180 seconds exceeded".
You can regularly purge your database but this task could prove tough for the administrator. Moreover, in a network with a lot of NIDS and several thousand log alerts, a request in a database will have a long response time.
The use of a script like SnortALog is more easier, efficient and appropriate. Do your own tests and send me your feedback :))
Here are some key features of "Snortalog":
Create HTML, PDF and text reports
Generate GIF, PNG or JPG graph in HTML output
CLI (Command Line Interface) and GUI (Graphic User Interface
Works with Syslog, Fast and Full SNORT alerts
Works with all SNORT preprocessor (spp_stream4, spp_portscan, spp_decoder, flow, flow-portscan ...)
Has the possibility to link the SNORT signature to the web reference attack description
Works with "-I" Snort option to specify an interface and add report
Work now with "-e" Snort option (Display the second layer header info)
Use a specific plugin for generate your owns reference's SNORT rules
Can specify order (acsending ou descending)
Can specify the number of occurences to view
Can resolve IP addresses and domains
Add colors for a best visibility
Possibility to do filtering (if you only want a specific IP source or high severity snort logs)
Works with CheckPoint Fw-1 (4.1 and NG) in syslog and fw logexport command
Works now with CheckPoint Fw-1 SmartDefense
Works with Netfilter and IPFilter syslog logs
Works now with syslog CISCO PIX logs (Thanks to Edwin)
Works on Windows box (basic option: no graph)
Works with Lucent Brick Firewall logs
What's New in This Release:
This release brings a lot of big enhancements.
The major ones are code enhancement.
The code was totally revisited to improve performance.
The engine doesn't need swap and can now work with huge log files.
The memory process and performance aren't amazing.
Moreover, an HTML output feature was added and the GUI brings new functionality very appreciable.
Snort 2.4 and Pix log detection was improved.
Snort Barnyard and Lucent Brick log detection were added.
Snortalog 2.4.0 keywords