
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Snort
|
485
Snort analyzers
To evaluate large streams of Snort output effectively, you’ll find a database and a
graphic frontend very useful.
Barnyard routes Snort output to various destinations, including databases, files,
email, and display screens. It can run on a separate machine from the Snort server
and does not need to be run as root. This improves security and performance. To
communicate with Barnyard, Snort needs to output to the unified file format. The
current tarball can be found under http://www.snort.org/dl/barnyard/.
The Analysis Console for Intrusion Databases (ACID) is a web-based frontend to
Snort, written in PHP. Details are available at http://acidlab.sourceforge.net/ as well as
http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html. A guide to installing
and configuring ACID is found at http://www.snort.org/docs/snort_acid_rh9.pdf.
Sguil is a GUI-based frontend to Snort, written in Tcl/Tk. See http://squil.sourceforge.
net for details.
A recent web-based console is OpenAanval, the open source version of the commer-
cial Aanval product. The latest version can be found under http://www.aanval.com/
downloads/.
Updating Snort’s rules automatically
The last tip I’ll offer on Snort use is a reminder that the Snort team refreshes the offi-
cial collection of contributed ...