Government Security
Network Security Resources

Jump to content

Photo

Snortsnarf tutorial


  • Please log in to reply
No replies to this topic

#1 Travis

Travis

    Specialist

  • Sergeant Major
  • 2,101 posts

Posted 27 April 2003 - 08:35 AM

Hello peeps, please see the tutorial below if you are interested in a pretty decent correlation tool
that uses snort alert files. With that being said, read on and hopefully enjoy.
**set your characters per line to 100 for proper formatting**
Don

Snortsnarf tutorial

What this tutorial will attempt to do is show how to compile and successfully use snortsnarf. The
snortsnarf program was
written by Jim Hoagland of http://www.silicondefense.com
Snortsnarf itself can also be downloaded for free from the
above mentioined url. As mentioned on the site snortsnarf was written in perl. What this means to
the average user is
that snortsnarf will run in both Win32 and *nix. This tute is written in a specific order for
clarities sake. That order being from the time of downloading the snortsnarf file
to the successful conclusion of using it.

A few points to note first. You will need to have perl installed on your machine. Surf to the
following url;
http://www.perl.com/...o/software.html and
proceed to install it. On my linux machine this was installed for me when I did my initial install.
It was installed to /usr/lib/ followed by the perl directories and sub-directories.

Secondly this tutorial is written from the perspective that
you will be using this on linux. Though realistically it would not be all that different from a
Win32 install.

First off as noted one must go to the above mentioned site and download the file. The file is zipped
as you see by the following --> SnortSnarf-021111.1.tar.gz You will need to run the following
command to unzip the file so you can use it --> tar xvfz SnortSnarf-021111.1.tar.gz Once the command
is entered you will see a bunch of stuff fly across your term window. Now do a ls -l in your
directory. You will notice a new directory --> SnortSnarf-021111.1 You have now installed
snortsnarf! Huzzah!

You will now have to download several time modules to run snortsnarf successfully. You will need to
surf to the following url --> http://search.cpan.o...t/Time-modules/
and download the three following time modules; Julianday, Parsedate and Timezone. You will need to
click on each indvidual one and then download the source. Just right clickand do a "save link as".
Once these files are downloaded you will have to copy them to the following relative path
-->/usr/lib/perl5/site_perl/5.6.1/i586-linux/Time So what you will do is the normal copy command
ie: cp JulianDay.pm followed by the above mentioned path of /usr/lib/... Make sure that you copy all
three time modules there. I recommend going to the directory noted above and confirming that

Now you will also have to do another copy for snortsnarf to work properly. You will have to copy the
include directory to the following path /usr/lib/perl5/site_perl/ The include directory is found
with the snortsnarf directory that was created when you unzipped the downloaded snortsnarf file.
In the interests of showing you I have copy and pasted the contents of the snortsnarf directory
itself as noted below.

don@monkeylabs:~/SnortSnarf-021111.1> dir
total 97
-r--r--r-- 1 1001 1001 18007 Nov 11 20:11 COPYING
-r--r--r-- 1 1001 1001 20241 Nov 11 20:11 Changes
-r--r--r-- 1 1001 1001 5818 Nov 11 20:11 README
lrwxrwxrwx 1 1001 1001 16 Apr 10 17:43 README.SISR -> sisr/README.SISR
lrwxrwxrwx 1 1001 1001 26 Apr 10 17:43 README.nmap2html ->
nmap2html/README.nmap2html
drwxr-xr-x 2 1001 1001 48 Nov 11 20:11 Time-modules
-r--r--r-- 1 1001 1001 17854 Nov 11 20:11 Usage
drwxr-xr-x 2 1001 1001 328 Nov 11 20:11 cgi
drwxr-xr-x 3 1001 1001 208 Nov 11 20:11 include
-r--r--r-- 1 1001 1001 36 Nov 11 20:11 new-annotation-base.xml
drwxr-xr-x 2 1001 1001 176 Nov 11 20:11 nmap2html
drwxr-xr-x 5 1001 1001 248 Nov 11 20:11 sisr
drwxr-xr-x 227 root root 5576 Apr 10 21:42 snfout.scans.030325_2
-rwxr-xr-x 1 1001 1001 18527 Nov 11 20:11 snortsnarf.pl
drwxr-xr-x 2 1001 1001 192 Nov 11 20:11 utilities

As you can see the include directory is there. You will use the following command snyntax to copy
this directory to the above mentioined path. You need to use the -r switch so that the directory and
all of it's contents are copied.

cp -r include/ /usr/lib/perl5/site_perl/

Now in the finest tradition of linux there is no reboot required. You can now go ahead and test for
a successful compilation by trying the following command. Oh yeah beforeI forget you will need to be
in the snortsnarf directory to invoke snort snarf. So without further ado type the following command
syntax.

./snortsnarf.pl -usage

This will hopefully give you the below noted.

snortsnarf.pl { OPTION | FILE | user[:passwd][@dbname@host[:port] }
FILE is a text file containing snort alerts in full alert, fast alert, syslog,
portscan log, or portscan2 log format
user[:passwd][@dbname]@host[:port] is a Snort database
OPTION is one of the following:
-d <dir> Set the output directory to <dir>
-win Run in windows mode (required on Windows)
-hiprioisworse Consider higher priority #'s to indicate higher priority
-cgidir <URL> Indicate that SnortSnarf's CGI scripts are in <URL>, for links
-homenet <net> Match <net> to snort -h <net>. For -ldir
-ldir <URL> Enable log linking; <URL> is base URL for the log files
-dns [<net>] Show hostnames for IPs, or only IPs in <net> (can be slow)
-rulesfile <file> Set base Snort rules to <file>. For sig. display and X-refs
-rulesdir <dir> Set current directory for rule files from -rulesfile
-rulesscanonce Save read Snort rules in memory. Might save CPU
-db <path> Enable annotations; <path> is full path to ann. file from CGI
-sisr <file > Enable incident storage and reporting; <file> is SISR's config
-nmapurl <URL> Enable linking to nmap2html output; <URL> is base URL
-nmapdir <dir> For -nmapurl, verify page for IP exists in <dir> before linking
-color=<opt> Set alert background color scheme. <opt> is yes, no, or rotate
-top=<N> <N> entries on top source and dest reports are shown
-onewindow Do not open new browser windows
-rs Reverse signature listing order, put most interesting first
-refresh=<secs> Cause pages to refresh every <secs> seconds
-split=<N> Change split threshold for alert pages to <N>. 0=never split
-obfuscateip Anonymize IPs by remapping addrs in alerts (file input only)
-ymd Show dates outside alerts in year/month/day order
-gmt Show dates outside alerts in your local TZ (for snort -g only)

I snipped the remainder of the usage menu for brevity's sake. Now that you have it successfully
compiled you can go ahead and start using it on those alert files that Snort has generated for you.
The one's in /var/log/snort/ I would like to add another tip here for you folks who will be doing
multiple files. Make sure you go to /var/log/snort/ and do a rm -r * within that directory before
processing another binary file. This way you are not appending you alert file to the already
existing one. That is all I will mention on Snort usage as there are already a ton of Snort
tutorials out there. However if you have a question feel free to email me at the addy provided at
the end of this tutorial, and I will endeavor to answer it for you.

Now on to an example of real world snortsnarf usage.

./snortsnarf.pl -rs /var/log/snort/alert

Typing in the above command syntax will be telling snortsnarf to use the -rs switch which as seen in
the usage menu puts the alarms in the order of most interesting first. The /var/log/snort/alert
tells snortsnarf what file it is toprocess. As the above syntax stand the output of snortsnarf will
be written to the snortsnarf directory itself. If you want to specify a different place for the
output to go then use the -dir command followed by where you want the output to go ie:
/home/don/snarf_output/ An example of what the output will look like is shown by the following
example snfout.scans.030325_2 This will be a directory. All following the snfout. Is whatever the
name of the file is that you fed into the program. In my case scans.030325_25

I will not go into any more switches as they are really self explanatory. Should you have any
further questions then just post them in the snortnsarf users forum found at;
http://www.siliconde...are/snortsnarf/

Now as mentioned by the author snortsnarf is a ram pig in a major way. My main machine is a P4
2.53Ghz with 512Mb of DDR 2100 ram. To process a 27Mb file it took roughly 6 hours. So
be prepared to wait longer if your machines specs are below that of mine. However rest assured that
snortsnarf will do it's job

That is it for the tutorial folks! I hope I was able to enlighten some of you, and make installing
and using snort snarf as pain free as possible. Should you want to get ahold of me for something or
other please email me at the following addy --> hydra291 at hotmail dot com

And last but not least shouts to Jim Hoagland and Silicon Defense for writing such an excellent
tool, and better yet for offering it up free of charge.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users