::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::
Snort-ng V2.2.1 by jeremy.chartier@free.fr 
------------------------------------------
::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::


Introduction
------------

Snortalog is a perl script to summarise snort logs making it easier
to see what attack are being seen through your network. It provides
many sorting and filtering options in ASCII and HTML format.


Configuration
-------------

There are several things to do if you want to do the script work fine.
1: You need to specify the PATH where the PERL binarie is, in the first line.
2: You need to specify the PATH where the domains file is.
3: You need to specify the PATH where the rules file is.
4: You need to have GD perl librairies for generate charts.

Work with all Snort's alerts, Ipfilter and Fw-1 logs !!!


Usage
-----
The following options are available :
-x                      Mode GUI
-r                      Resolve IP adresses
-c                      Resolve domains
-h <file.html>          Specify a HTML file
-u <directorie>         Specify a directorie
-g <gif|png|jpg>        Graph output format
-i                      Inverse the result
-d                      Mode debug
-n <integer>            Specify a number of line in the result
-ether <interface>      Specify an interface
-genref                 Generate the reference rules file
-help                   View this help

The following reports are available :

-src                      Top IPs sources
-dst                      Top IPs destination
-src_attack               Top IPs sources grouped by attack
-dst_attack               Top IPs destination grouped by attack
-src_dst_attack           Top alert grouped by IPs sources, Ips destination and attack
-attack                   Top attack
-class                    Top classification
-severity                 Top severity
-daily_event              Top number of attack grouped by day
-hour                     Top number of attack grouped by hour
-hour_attack              Top specific attack grouped by hour
-dport                    Top destination port
-proto                    Top protocoles
-dport_attack             Top destination port grouped by attack
-nids                     Top NIDS host
-stateful                 Top stateful problems
-interfaces               Top interfaces events
-domain_src               Top of domain source
-portscan                 Top of portscan alert
-actions                  Top of firewall action (DROP, REJECT, ACCEPT, etc ...)
-rules                    Top number of DROP by rule (only Fw-1)
-reasons                  Top number of DROP reason (only Fw-1)
-same_src_dport           Top IPs sources grouped by destination port
-same_dst_dport           Top IPs destination grouped by destination port



Examples
--------
# cat snort*.rules | ./snortalog.pl -genref refsigtxt

snortalog will genrerate a referenced rules file from your Snort's rules or your own signatures.

# cat file.logs | ./snortalog.pl -r -n 30

snortalog will genrerate an ASCII output format with address resolution and a number of maximum occurences of 30.

# cat file.logs | ./snortalog.pl -r -n 30 -dst_attack

snortalog will genrerate an ASCII output format with address resolution and a number of maximum occurences of 30 for the report dst_attack.

# cat file.logs | ./snortalog.pl -r -i -h file.html

snortalog will generate an HTML output format stored in file.html with address resolution and display the result from least frequent to most frequent occurences (reverse mode).

# cat file.logs | ./snortalog.pl -r -g gif -h file.html -u /tmp/

Same as below but with Gif graphs and a specific directorie.

# cat file.logs | ./snortalog.pl -i -n 30 | /usr/sbin/sendmail -f user@domain user@domain

snortalog will genrerate an ASCII output format with reverse request, a number of maximum of 30 occurences and send the result by mail.

# cat file_200212[1-7] | ./snortalog.pl

snortalog will genrerate an ASCII output format with all events of the first week of december (between the 1st and 7th).

# cat file_20021* | ./snortalog.pl

snortalog will genrerate an ASCII output format with all events of the three last months of the year 2002 (month 10, 11 and 12).


Contact
-------
I'd like to receive feedback, suggestions and/or patches for this tool.

You can email me at jeremy.chartier@free.fr
More informations at http://jeremy.chartier.free.fr/snortalog/
