Tuesday, January 10, 2006

OpenBSD Snortalog

I'm pretty sure most of you find that snort is not well supported under OpenBSD, what I mean it is not well supported would be it is always lack of documentations on how we can run snort or snort related tools on OpenBSD platform. Here I will share with OpenBSD and snort users how I get Snortalog working on OpenBSD.

What is Snortalog anyway? Snortalog is a tool written in perl that used to analyze the log files, it provides comprehensive and complete needs when comes to analyze snort log and firewall log as well, currently it supports wide range of firewalls logs including Checkpoint firewall, ipfw, iptables, pf and etc. Since it is using perl Tk to build it's gui which is similar to Oinkmaster gui, I'm pretty happy as the gui should run out of the box. Anyway you can still run Snortalog in command lind interface. To get snortalog working,

Installing the needed dependencies for snortalog to work properly.

shell>pkg_add ${PKG_PATH}gd-2.0.33p2.tgz

shell>pkg_add ${PKG_PATH}p5-GD-Graph-1.43.tgz

shell>pkg_add ${PKG_PATH}p5-GD-TextUtil-0.86.tgz

shell>pkg_add ${PKG_PATH}htmldoc-1.8.23.tgz

Since HTML-HTMLDocis not available via OpenBSd port/package, I just download it.

shell>wget http://cpan.mirror.solnet.ch/modules/by-module/HTML/ HTML-HTMLDoc-0.10.tar.gz

In order to run snortalog in gui mode, it requires perl TK, however I get an error if I install p5-Tk from port, when I run

shell>./snortalog.pl -x
unknown option "accelerator" at /usr/local/libdata/perl5/site_perl/i386-openbsd/Tk.pm 247.
at /usr/local/libdata/perl5/site_perl/i386-openbsd/Tk/Menu/Item line 47

Since I'm not perl expert, directly I just download the perl Tk from cpan mirror site to install from source.

shell>wget http://cpan.mirror.solnet.ch/modules/by-module/Tk/
Tk800.025.tar.gz

shell>tar xvzf Tk800.025.tar.gz

shell>cd Tk800.25

shell>perl Makefile.PL

shell>make && make install

To configure rules path in snortalog.pl, just edit the line below in snortalog.pl,

$rules_file = "/usr/local/src/snort-2.4.3/rules"; $RULES = 1; # Path to find Rules file

Generate rule ID for snortalog,

shell>cat /usr/local/src/snort-2.4.3/rules/*.rules | ./snortalog.pl -genref ruleID.ref

You are pretty done with snortalog configuration and you can just launch snortalog gui with the command below,

shell>./snortalog.pl -x

Snortalog GUI, you can generate report based on variety of options.

This is the Ascii report that generated by loading snort alert file.

-Snortalog HTML report-

Report showing distribution of attack methods ...

I'm pretty satisfy about Snortalog and it really suits my need when comes to analyze firewall and ids logs.

Cheers!

3 comments:

Anonymous said...

Hey!, I enjoy very much your blog! keep up the good work!!

C.S.Lee said...

Thx :]

Anonymous said...

hi..
is there any way to contact u./.??
wanna ask u more regarding the snortalog..:)