Hey guys, I’d like to share a script I wrote to make reporting simpler for Snort. Snort is an open source intrusion detection / prevention system. It blocks or detects packets based on rules. Its an awesome security tool to see exactly what is going on in your network and offers great protection if you decide to put it in prevention mode. And its all free!

I installed it on my very old compaq computer which runs Ubuntu server edition. Didn’t really have a reason, just wanted to see how it works…will be getting rid of it soon since it slows down the network (Counter Strike and Snort don’t mix).

Anyway, to check the logs I had to ssh to the compaq (that computer has no monitor) and manually go through the logs. Usually the same event would’ve tripped 400 times in a row. Scrolling through all of this and logging into the compaq everytime was a pain. So I wrote a bash script that bundled the same events together, output the number of times they occured and emailed this information to me everyday. Now all I had to do was check my email. I also added a threshold so it would only email rules that tripped at least 20 times.

I’m sure this method isn’t as efficient as some of the other parsers that are out there…but this one’s awesome since I made it! Here it is…

Note: The snort log output method has to be “Fast”, more on that in a bit.

#Author: Bhavik from www.bhaviksblog.com
#Script is free! Do whatever you want with it!                                                                                            
#Date created : 11/06/08                                  
 
#Automatically emails listed recipient all alerts that                            
#occur in the log file more than 20 times                                           
#Script will be added to cron to execute everyday      
#email_alerts.txt contains the latest events that         
#occured more than 20 times                                
 
email="your email here"
lines_in_file=5000
 
if test -z $1
then 
echo "The logfile must be supplied as an argument"
exit 1
elif test ! -e $1
then
echo "The file you supplied does not exist"
exit 1
else
tail -n $lines_in_file $1 | sort -k 4 | uniq -s 21 -c -d  
| awk '$1 > 20 {print $0,"n"}' | 
sort -r >> email_alerts_output.txt
mail -v -s "Snort Sensor Alerts" $email < email_alerts_output.txt
echo "Logs Sent."
fi

There are two variables at the top that you should set. The email is obviously the email address of where the logs should go. The lines_in_file is a variable since the logfile is constantly growing (if theres traffic on the network). I needed to see approximately how many lines get added to the file every 24 hours. I checked by doing a wc -l at 12pm on the log file to see the number of lines it had. 12 hours later I did the same thing.

The file grew about 2000 lines. I padded another 500 to be safe and doubled it to 5000 for the 24 hour period. The threshold determines how many times a rule has to trip before you get emailed about it. Above it is set to 20 (in the awk statement), you can change it there.

Now you need to make the script a cron job so you get emailed everyday. You can use crontab to do this.

crontab -l       # lets you see what is currently listed under cron
crontab -r      # deletes your current cron
crontab -e     # lets you edit the current cron

Crontab uses 5 fields to determine the time (military time) your command runs. Here are a couple examples.

01 * * * * echo "Runs a minute after every hour"
45 10 * * * echo "Runs everyday at 10:45 am"
00 8 * * 0 echo "Runs at 8 am every Sunday"

Heres what my cron looks like for this script.

00 8 * * * sh /var/log/snort/log_parser.sh /var/log/snort/alert
#sh /var/log/snort/log_parser.sh is the command to call the script
#/var/log/snort/alert is the snort log file (im using full paths)

Another important thing is to make sure that your method of logging is set to “Fast”. The output of your logfile should be in this format.

01/28-00:14:17.600025  [**] [1:2469:7] NETBIOS SMB-DS D$ unicode share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.xx.xx.xx:2327 -> 10.xx.xx.xx:445

You can set it to this output method when you call the command to start snort. This is what my command looks like.

snort -c /etc/snort/snort.conf -A fast -I eth2 -D
# -c is the config file for additional configuration
# -A is where you set the logging method. We want Fast
# -I is the interface
# -D is to make it a Daemon which keeps it running

If everything is setup correctly you should get an email at the specified time in cron. For the mail command to work you need a mail server setup on whichever box snort is running. Its a pretty simple script, no confusing configuration….Hope it helps! Enjoy!