• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

snortsnarf tutorial

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
Just Arrived
Just Arrived

Joined: 16 Apr 2003
Posts: 2


PostPosted: Wed Jul 23, 2003 3:11 pm    Post subject: snortsnarf tutorial Reply with quote

I was searching for some good snortsnarf tuts. cudn't find any. I remember alt.don said that he will write a tut if there is demand. Well alt.don I am demanding it mate. many of us will appriciate it if you give us a nice tut abot snortsnarf. Thanking you in advance cause I know you will not let a friend down. Very Happy
Back to top
View user's profile Send private message AIM Address MSN Messenger
SF Boss
SF Boss

Joined: 04 Mar 2003
Posts: 16777079


PostPosted: Wed Jul 23, 2003 5:29 pm    Post subject: snortsnarf tutorial Reply with quote

Snortsnarf tutorial for Linux

What this tutorial will attempt to do is show how to compile and successfully use snortsnarf. The snortsnarf program was written by Jim Hoagland of Silicon Defense. Snortsnarf itself can also be downloaded for free from the Snort website. As mentioned on the site snortsnarf was written in perl. What this means to the average user is that snortsnarf will run in both Win32 and *nix. This tute is written in a specific order for clarities sake. That order being from the time of downloading the snortsnarf file to the successful conclusion of using it.

A few points to note first. You will need to have perl installed on your machine. Surf to the following url; http://www.perl.com/pub/a/language/info/software.htmland proceed to install it. On my linux machine this was installed for me when I did my initial install. It was installed to /usr/lib/ followed by the perl directories and sub-directories. Should you have to install it yourself then just install it to the same directory of /usr/lib as seen above.

First off as noted one must go to the above mentioned site and download the file. The file is zipped as you see by the following --> SnortSnarf-021111.1.tar.gz You will need to run the following command to unzip the file so you can use it.
tar xvfz SnortSnarf-021111.1.tar.gz

Once the command is entered you will see a bunch of stuff fly across your term window. Now do the following command in the your term window to confirm the successful unzipping of your file.
ls l

You should now see SnortSnarf-021111.1 or some directory resembling it. You have now installed snortsnarf! Huzzah!

You will now have to download several time modules to run snortsnarf successfully. You will need to surf to the following url --> http://search.cpan.org/dist/Time-modules/ and download the three following time modules; Julianday Parsedate and Timezone. You will need to click on each indvidual one and then download the source. Just right click and do a "save link as". Once these files are downloaded you will have to copy them to the following relative path noted on the following line.
/usr/lib/perl5/site_perl/5.6.1/i586-linux/Time/ So what you will do is the normal copy command.

cp JulianDay.pm (to the above relative path /usr/lib/...)

p.s As a note make sure the files you downloaded have the .pm extension and not a .txt attached to the .pm as well. In essence JulianDay.pm.txt it should be JulianDay.pm

Now you will also have to do another copy for snortsnarf to work properly. You will have to copy the /include directory to the following path /usr/lib/perl5/site_perl/ The include directory is found within the snortsnarf directory that was created when you unzipped the downloaded snortsnarf file.In the interests of showingyou I have copy and pasted the contents of the snortsnarf directory itself as noted below.
don@monkeylabs:~/SnortSnarf-021111.1> dir
total 97
-r--r--r--    1 1001     1001        18007 Nov 11 20:11 COPYING
-r--r--r--    1 1001     1001        20241 Nov 11 20:11 Changes
-r--r--r--    1 1001     1001         5818 Nov 11 20:11 README
lrwxrwxrwx    1 1001     1001           16 Apr 10 17:43 README.SISR -> sisr/README.SISR
lrwxrwxrwx    1 1001     1001           26 Apr 10 17:43 README.nmap2html -> nmap2html/README.nmap2html
drwxr-xr-x    2 1001     1001           48 Nov 11 20:11 Time-modules
-r--r--r--    1 1001     1001        17854 Nov 11 20:11 Usage
drwxr-xr-x    2 1001     1001          328 Nov 11 20:11 cgi
drwxr-xr-x    3 1001     1001          208 Nov 11 20:11 include
-r--r--r--    1 1001     1001           36 Nov 11 20:11 new-annotation-base.xml
drwxr-xr-x    2 1001     1001          176 Nov 11 20:11 nmap2html
drwxr-xr-x    5 1001     1001          248 Nov 11 20:11 sisr
drwxr-xr-x  227 root     root         5576 Apr 10 21:42 snfout.scans.030325_2
-rwxr-xr-x    1 1001     1001        18527 Nov 11 20:11 snortsnarf.pl
drwxr-xr-x    2 1001     1001          192 Nov 11 20:11 utilities

As you can see the include directory is there. You will use the following command syntax to copy this directory to the above mentioned path. You need to use the -r switch so that the directory and all of it's contents are copied.
cp -r include/ /usr/lib/perl5/site_perl/

Now in the finest tradition of linux there is no reboot required. You can now go ahead and test for a successful compilation by trying the following command. Oh yeah before I forget you will need to be in the snortsnarf directory to invoke snortsnarf. So without further ado type the following command syntax.

./snortsnarf.pl -usage

This will hopefully give you the below noted.
snortsnarf.pl { OPTION | FILE | user[:passwd][@dbname@host[:port] }
FILE is a text file containing snort alerts in full alert, fast alert, syslog,
 portscan log, or portscan2 log format
user[:passwd][@dbname]@host[:port] is a Snort database
OPTION is one of the following:
-d <dir>        Set the output directory to <dir>
-win            Run in windows mode (required on Windows)
-hiprioisworse  Consider higher priority #'s to indicate higher priority
-cgidir <URL>   Indicate that SnortSnarf's CGI scripts are in <URL>, for links
-homenet <net>  Match <net> to snort -h <net>.  For -ldir
-ldir <URL>     Enable log linking; <URL> is base URL for the log files
-dns [<net>]    Show hostnames for IPs, or only IPs in <net> (can be slow)
-rulesfile <file>  Set base Snort rules to <file>. For sig. display and X-refs
-rulesdir <dir>  Set current directory for rule files from -rulesfile
-rulesscanonce  Save read Snort rules in memory.  Might save CPU
-db <path>      Enable annotations; <path> is full path to ann. file from CGI
-sisr <file >   Enable incident storage and reporting; <file> is SISR's config
-nmapurl <URL>  Enable linking to nmap2html output; <URL> is base URL
-nmapdir <dir>  For -nmapurl, verify page for IP exists in <dir> before linking
-color=<opt>    Set alert background color scheme. <opt> is yes, no, or rotate
-top=<N>        <N> entries on top source and dest reports are shown
-onewindow      Do not open new browser windows
-rs             Reverse signature listing order, put most interesting first
-refresh=<secs>  Cause pages to refresh every <secs> seconds
-split=<N>      Change split threshold for alert pages to <N>. 0=never split
-obfuscateip    Anonymize IPs by remapping addrs in alerts (file input only)
-ymd            Show dates outside alerts in year/month/day order
-gmt            Show dates outside alerts in your local TZ (for snort -g only)

I snipped the remainder of the usage menu for brevity's sake. Now that you have it successfully compiled you can go ahead and start using it on those alert files that Snort has generated for you. The one's in /var/log/snort/ I would like to add another tip here for you folks who will be doing multiple files. Make sure you go to /var/log/snort/ and do a
rm -r *

within that directory before processing another binary file. This way you are not appending you alert file to the already existing one. That is all I will mention on Snort usage as there are already a ton of Snort tutorials out there. However if you have a question feel free to email me at the addy provided at the end of this tutorial, and I will endeavor to answer it for you.

Now on to an example of real world snortsnarf usage.

./snortsnarf.pl -rs /var/log/snort/alert

Typing in the above command syntax will be telling snortsnarf to use the -rs switch which as seen in the usage menu puts the alarms in the order of most interesting first.

The /var/log/snort/alert file tells snortsnarf what file it is to process. As the above syntax stands the output of snortsnarf will be written to the snortsnarf directory itself. If you want to specify a different place for the output to go then use the -dir command followed by where you want the output to go. See below for an example.
./snortsnarf.pl rs /var/log/snort/alert dir /home/don/

I will not go into any more switches as they are really self explanatory. Should you have any further questions then just post them in the snortnsarf users forum found at http://www.silicondefense.com/software/snortsnarf/

Now as mentioned by the author snortsnarf is a ram pig in a major way as well as physical disk space. My main machine is a P4 2.53Ghz with 768Mb of DDR 2100 ram. To process a 27Mb file it took roughly 6 hours. So be prepared to wait longer if your machines specs are below that of mine. However rest assured that snortsnarf will do it's job Smile

Last edited by alt.don on Tue Jan 06, 2009 2:09 am; edited 8 times in total
Back to top
View user's profile Send private message Visit poster's website
Just Arrived
Just Arrived

Joined: 16 Apr 2003
Posts: 2


PostPosted: Wed Jul 23, 2003 7:05 pm    Post subject: Reply with quote

big thanks for that one alt.don ... I cud not try it today, but tomorrow morning first thing i will do is set this pig up. Smile
Back to top
View user's profile Send private message AIM Address MSN Messenger

PostPosted: Wed Jun 30, 2004 12:30 am    Post subject: Reply with quote

good stuff, I'll refer to this once I set up my linux box... again...
Back to top
Just Arrived
Just Arrived

Joined: 13 Sep 2004
Posts: 0


PostPosted: Fri Jan 07, 2005 7:04 am    Post subject: Reply with quote

many thanks to alt.don...

This site is successfull coz of efforts that u guys made.
Back to top
View user's profile Send private message Yahoo Messenger
Just Arrived
Just Arrived

Joined: 06 Aug 2007
Posts: 0
Location: London - UK


PostPosted: Tue Aug 14, 2007 1:22 pm    Post subject: Reply with quote

Thank you very helpfull!
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register