I'm pretty sure most of you find that snort is not well supported under OpenBSD, what I mean it is not well supported would be it is always lack of documentations on how we can run snort or snort related tools on OpenBSD platform. Here I will share with OpenBSD and snort users how I get Snortalog working on OpenBSD.
What is Snortalog anyway? Snortalog is a tool written in perl that used to analyze the log files, it provides comprehensive and complete needs when comes to analyze snort log and firewall log as well, currently it supports wide range of firewalls logs including Checkpoint firewall, ipfw, iptables, pf and etc. Since it is using perl Tk to build it's gui which is similar to Oinkmaster gui, I'm pretty happy as the gui should run out of the box. Anyway you can still run Snortalog in command lind interface. To get snortalog working,
What is Snortalog anyway? Snortalog is a tool written in perl that used to analyze the log files, it provides comprehensive and complete needs when comes to analyze snort log and firewall log as well, currently it supports wide range of firewalls logs including Checkpoint firewall, ipfw, iptables, pf and etc. Since it is using perl Tk to build it's gui which is similar to Oinkmaster gui, I'm pretty happy as the gui should run out of the box. Anyway you can still run Snortalog in command lind interface. To get snortalog working,
Installing the needed dependencies for snortalog to work properly.
shell>pkg_add ${PKG_PATH}gd-2.0.33p2.tgz
shell>pkg_add ${PKG_PATH}p5-GD-Graph-1.43.tgz
shell>pkg_add ${PKG_PATH}p5-GD-TextUtil-0.86.tgz
shell>pkg_add ${PKG_PATH}htmldoc-1.8.23.tgz
Since HTML-HTMLDocis not available via OpenBSd port/package, I just download it.
shell>wget http://cpan.mirror.solnet.ch/modules/by-module/HTML/ HTML-HTMLDoc-0.10.tar.gz
In order to run snortalog in gui mode, it requires perl TK, however I get an error if I install p5-Tk from port, when I run
shell>./snortalog.pl -x
unknown option "accelerator" at /usr/local/libdata/perl5/site_perl/i386-openbsd/Tk.pm 247.
at /usr/local/libdata/perl5/site_perl/i386-openbsd/Tk/Menu/Item line 47
at /usr/local/libdata/perl5/site_perl/i386-openbsd/Tk/Menu/Item line 47
Since I'm not perl expert, directly I just download the perl Tk from cpan mirror site to install from source.
shell>wget http://cpan.mirror.solnet.ch/modules/by-module/Tk/
Tk800.025.tar.gz
shell>tar xvzf Tk800.025.tar.gz
shell>cd Tk800.25
shell>perl Makefile.PL
shell>make && make install
To configure rules path in snortalog.pl, just edit the line below in snortalog.pl,
$rules_file = "/usr/local/src/snort-2.4.3/rules"; $RULES = 1; # Path to find Rules file
Generate rule ID for snortalog,
shell>cat /usr/local/src/snort-2.4.3/rules/*.rules | ./snortalog.pl -genref ruleID.ref
You are pretty done with snortalog configuration and you can just launch snortalog gui with the command below,
shell>./snortalog.pl -x
Snortalog GUI, you can generate report based on variety of options.
This is the Ascii report that generated by loading snort alert file.
-Snortalog HTML report-
Report showing distribution of attack methods ...I'm pretty satisfy about Snortalog and it really suits my need when comes to analyze firewall and ids logs.
Cheers!
3 comments:
Hey!, I enjoy very much your blog! keep up the good work!!
Thx :]
hi..
is there any way to contact u./.??
wanna ask u more regarding the snortalog..:)
Post a Comment