Navigation Menu
Snort Alert Log: Simple Analysis and Daily Reporting with Arnold and Petit

Snort Alert Log: Simple Analysis and Daily Reporting with Arnold and Petit

By on Jul 1, 2010 in Article | 0 comments

Background

This script was developed last year to give a quick and dirty analysis of the Snort alert log. In typical fashion, it’s is far from perfect, but approximately right is better than absolutely wrong. Obviously, the intersects could be combined in new and creative ways, this is just one that works for us. Also, notice that petit is used to graph the snort alerts to give an idea of when the attacks signatures are occurring.

Basics

The first intersect is between snort alerts and critical ports.

We only watch for a specific list of ports in which have access granted through the firewall and which have actively running ports. This list is hand generated with an nmap scan externally to our network.

  1. Snort Alerts: This is a full list of alerts that are generated each day. Our snort sensor is located on a span port which listens to every piece of traffic coming in and out of our network.
  2. Critical Ports: This is a manually generated list of ports which we know are open on the firewall and have services actively running.

The second intersect is between the three major types mentioned below

  1. Known Aggressors: Several Known Aggressors lists are published on the Internet. For the writing of this script, I currently use DSheild, but the choice is arbitrary. The point is to get a list of known aggressors which are connecting to your network and tripping snort’s attack signitures.
  2. Scanners: This list is auto generated by searching the snort alert log and gathering a list of IP Addresses that have scanned our network in the last 24 hours
  3. Critical Addresses: This is a list of

Scripts

Script: arnold.sh

Output: arnold.sh Output

Script: arnold_convert_addresses.sh

This script helps generate a list of critical addresses on each server. We use this to manually generate our list of critical IP addresses.

Trackbacks/Pingbacks

  1. Monitoring and Dealing With Snort Alerts | Wazi - [...] can also find self-rolled script options online. In general, however, it’s best for productivity, usability, and [...]

Post a Reply

Your email address will not be published.