Chapter 6. Log Analysis

Introduction

Now that you have an efficient system in place to collect, store, and manage data, what kinds of things can you do with that data? IDS data is an excellent resource for graphing and statistically analyzing network patterns to recognize long-term trends and attacks. This chapter explores some of the methods used to analyze and graph Snort data and generate useful statistical information. Some of the most popular tools for analyzing logs include: snort_stat, SnortALog, Snort Alert Monitor, and Cerebus. This chapter also explores some additional graphing and analysis features of Snort administrative tools such as ACID and Snortsnarf. Finally, this chapter examines several methods to test IDS signatures including the use of tools such as Snot, Sneeze, Stick, and the Metasploit framework. When it comes to your IDS data, don’t “collect and forget.” The graphs and statistical output generated by IDS data can benefit the organization in many areas, such as in expanding networks, reevaluating perimeter defenses, repositioning top targets, and discovering bottlenecks. Most importantly, the high-level overview produced by graphs and statistics allows upper management to better understand and support network and security initiatives.

6.1. Generating Statistical Output from Snort Logs

Problem

You want to get statistical information from your Snort logs.

Solution

Use snort_stat to generate statistical data from the Snort logfile. Download the snort_stat.pl file ...

Get Snort Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.