Snort3 (SnortSnarf)


Parse the Snort3 log /var/log/snort/alert_fast.txt and output an HTML file.

・a point to notice
    logfile /var/log/snort/alert_fast.txt

    03/28-01:19:50.576984 [**] [1:45749:2] "SERVER-WEBAPP PHPUnit PHP remote
    code execution attempt" [**] [Classification: Web Application Attack] [Priority: 1]
    [AppID: Firefox] {TCP} ->
    03/28-01:41:41.584960 [**] [1:42857:3] "SERVER-WEBAPP MVPower DVR Shell arbitrary
    command execution attempt" [**] [Classification: Attempted Administrator Privilege Gain]
    [Priority: 1] [AppID: HTTP] {TCP} ->

    If [AppID: ...] exists, the source / destination of SnortSnarf will be (no IP).

    [root]# vim /usr/local/snort/etc/snort/snort.lua

    -- Detection of connection source application (comment out when using SnortSnarf)
    appid =
        -- appid requires this to use appids in rules
        app_detector_dir = APPID_PATH,

Obtained from

    [root]# cpan Time::ParseDate
    [root]# mkdir /usr/local/snortsnarf
    [root]# tar xvfz SnortSnarf-1.0.tar.gz
    [root]# cp -v SnortSnarf-1.0/ /usr/local/snortsnarf
    [root]# cp -vrf SnortSnarf-1.0/include/ /usr/local/snortsnarf
・make a change
    [root]# vim /usr/local/snortsnarf/

      78 : use lib qw(./include);  
      78 : use lib qw(/usr/local/snortsnarf/include);

    [root]# vim /usr/local/snortsnarf/include/SnortSnarf/

      290 : return @arr->[($first-1)..$end];
      290 : return $arr->[($first-1)..$end];

    [root]# vim /usr/local/snortsnarf/include/SnortSnarf/

      266 : return @arr->[($first-1)..$end];
      266 : return $arr->[($first-1)..$end];
・Analysis result output directory creation
    [root]# mkdir /var/www/html/snortsnarf
    [root]# chown apache:apache /var/www/html/snortsnarf
・Access control to analysis results

Deny access from outside the localhost and LAN.

    [root]# vim /etc/httpd/conf/httpd.conf

      Apache 2.2
      <Directory  "/var/www/html/snortsnarf">
           order deny,allow
           deny from all
           allow from

      Apache 2.4
      <Directory  "/var/www/html/snortsnarf">
           require ip
    [root]# /usr/local/snortsnarf/
                        /var/log/snort/alert_fast.txt -d /var/www/html/snortsnarf
・Automatically executed by cron.
    [root]# crontab -e

      10 */6 * * * /usr/local/snortsnarf/ \
                        /var/log/snort/alert_fast.txt -d /var/www/html/snortsnarf
・Analysis result
    In your browser, https://localhost/snortsnarf/