Parse the Snort3 log /var/log/snort/alert_fast.txt and output an HTML file.
・a point to notice
logfile /var/log/snort/alert_fast.txt
03/28-01:19:50.576984 [**] [1:45749:2] "SERVER-WEBAPP PHPUnit PHP remote
code execution attempt" [**] [Classification: Web Application Attack] [Priority: 1]
[AppID: Firefox] {TCP} xxx.xxx.xxx.xxx:58646 -> xxx.xxx.xxx.xxx:80
03/28-01:41:41.584960 [**] [1:42857:3] "SERVER-WEBAPP MVPower DVR Shell arbitrary
command execution attempt" [**] [Classification: Attempted Administrator Privilege Gain]
[Priority: 1] [AppID: HTTP] {TCP} xxx.xxx.xxx.xxx:40306 -> xxx.xxx.xxx.xxx:80
If [AppID: ...] exists, the source / destination of SnortSnarf will be (no IP).
[root]# vim /usr/local/snort/etc/snort/snort.lua
-- Detection of connection source application (comment out when using SnortSnarf)
--[[
appid =
{
-- appid requires this to use appids in rules
app_detector_dir = APPID_PATH,
}
--]]
・Installation
Obtained from http://sourceforge.net/projects/snortsnarf/.
[root]# cpan Time::ParseDate
[root]# mkdir /usr/local/snortsnarf
[root]# tar xvfz SnortSnarf-1.0.tar.gz
[root]# cp -v SnortSnarf-1.0/snortsnarf.pl /usr/local/snortsnarf
[root]# cp -vrf SnortSnarf-1.0/include/ /usr/local/snortsnarf
・make a change
[root]# vim /usr/local/snortsnarf/snortsnarf.pl
78 : use lib qw(./include);
78 : use lib qw(/usr/local/snortsnarf/include);
[root]# vim /usr/local/snortsnarf/include/SnortSnarf/HTMLMemStorage.pm
290 : return @arr->[($first-1)..$end];
290 : return $arr->[($first-1)..$end];
[root]# vim /usr/local/snortsnarf/include/SnortSnarf/HTMLAnomMemStorage.pm
266 : return @arr->[($first-1)..$end];
266 : return $arr->[($first-1)..$end];
・Analysis result output directory creation
# Apache
[root]# mkdir /var/www/html/snortsnarf
[root]# chown apache:apache /var/www/html/snortsnarf
# Nginx
[root]# mkdir /usr/local/nginx/html/snortsnarf
[root]# chown nginx:nginx /usr/local/nginx/html/snortsnarf
・Access control to analysis results
Deny access from outside the localhost and LAN.
[root]# vim /etc/httpd/conf/httpd.conf
Apache 2.2
<Directory "/var/www/html/snortsnarf">
order deny,allow
deny from all
allow from 127.0.0.1 192.168.1.0/24
</Directory>
Apache 2.4
<Directory "/var/www/html/snortsnarf">
require ip 127.0.0.1 192.168.1.0/24
</Directory>
[root]# vim /usr/local/nginx/conf/nginx.conf
location /snortsnarf/ {
allow 192.168.1.0/24;
deny all;
}
・Run
# Apache
[root]# /usr/local/snortsnarf/snortsnarf.pl
/var/log/snort/alert_fast.txt -d /var/www/html/snortsnarf
# Nginx
[root]# /usr/local/snortsnarf/snortsnarf.pl
/var/log/snort/alert_fast.txt -d /usr/local/nginx/html/snortsnarf
# Nginx Chroot
[root]# /usr/local/snortsnarf/snortsnarf.pl
/var/log/snort/alert_fast.txt -d /chroot/nginx/usr/local/nginx/html/snortsnarf
・Automatically executed by cron.
[root]# crontab -e
# Apache
10 */6 * * * /usr/local/snortsnarf/snortsnarf.pl \
/var/log/snort/alert_fast.txt -d /var/www/html/snortsnarf
# Nginx
10 */6 * * * /usr/local/snortsnarf/snortsnarf.pl \
/var/log/snort/alert_fast.txt -d /usr/local/nginx/html/snortsnarf
# Nginx Chroot
10 */6 * * * /usr/local/snortsnarf/snortsnarf.pl \
/var/log/snort/alert_fast.txt -d /chroot/nginx/usr/local/nginx/html/snortsnarf
・Analysis result
In your browser, https://localhost/snortsnarf/