|
Developers are designing a ton of cool Snort tools. Some are actively supported, and some are left to the vultures. Here is a quick rundown of a few of these up-and-coming tools.
Alert-management tools
Alert management tools parse Snort log files and provide alert log viewing in a more convenient format.
SnortSnarf
SnortSnarf is a Perl script with more modules, installs in 5 minutes, and configures from the command line to do everything it needs. SnortSnarf parses Snort's alert or log data and outputs that data to handy HTML files.
SnortSnarf runs against Snort's alert and log files or, with a plug-in module, reads Snort data straight out of your MySQL database and outputs all that data to a stack of HTML files, similar to ACID console. SnortSnarf gives you a quick and easy way to transform those arcane Snort log files or database entries into easy-to-use, fully referenced Web pages. SnortSnarf can be run straight from the command line as either a one-off process or as a regularly scheduled process using the Linux cron utility.
 | SnortSnarf is a memory hog. Don't expect to run it directly on a high-traffic Snort sensor or a server with little memory to spare. |
Snort Alert Monitor
Snort Alert Monitor (SAM) is a Java-based console that gives you a quick look at the Snort alerts in your MySQL database. Don't confuse this tool with SnortSam, the real-time attack blocker.
SAM runs as a Java-console, so it's platform independent. SAM monitors your MySQL database and gives you a real-time view of incoming Snort alerts. SAM also gives you audible alerts (using a dictionary of sound files) for every alert you receive. You can configure SAM to send you an e-mail when Snort alerts to an attempted exploit on your network. Although SAM hasn't been updated since 2002, it's still a pretty useful tool.
SAM takes all of 3 minutes to install and configure. You instantly have a window into your incoming Snort alerts. The audio alerts are taken from 2001: A Space Odyssey, and who doesn't think HAL is cool?
| SAM only outputs 60 minutes of Snort alerts to its console, and you don't get the drill-down detail and forensics options available for each alert (such as looking up an attacker's address via WHOIS) you get with ACID console or SnortSnarf. |
Alert-reporting tools
For those who need those pretty graphics (especially those with managers who need the pretty graphics), these tools add some graphic capability to the Snort alert-logging functions.
RRD-Snort
RRD-Snort is a graphing utility that creates a graphic of alerts/events stored in a Snort database. RRD allows you to develop a graphic representation of the top attack methods detected by your Snort sensor.
RRD-Snort is a Perl script that reads stored alerts or events in the Snort database and converts that data to a distribution of top attack methods that the Snort sensor has detected. You choose the number of methods.
Who doesn't love cool 3-D graphics of flying X-Wings fighting the Emperor Zurg for control of the entire freakin' galaxy? Unfortunately, RRD-Snort outputs the most frequent attack methods detected by Snort in 2-D bar graphs. It's still pretty darn cool, though.
Snortalog
Snortalog is a Perl-based Snort log analyzer on steroids with output options to ASCII text, HTML, and graphs (formatted in JPEG, GIF, or PNG). Snortalog is configured and managed from a GUI interface, and it runs on either Linux or Windows. It reads output from Snort in any format (no other tool that we've seen has this feature), including syslog, provides fast and full alerts, and then builds flat text or HTML summary reports. Snortalog's summary reports are similar to ACID's reports, but more compact.
 | In Linux, Snortalog outputs an impressive set of graphs based on the data it summarizes. The graphs are available in JPEG, GIF, and PNG formats. |
Snortalog also reads log formats of Checkpoint FireWall-1 and Cisco PIX firewalls.
Ever sit like a Pavlovian experiment waiting for little nuggets of data in your ACID console on a very busy network and database? Snortalog summarizes what you need to know about the state of your network security right now. It supports multiple sensors and produces pretty graphics for the management.
Alert-response tools
Everyone wants to press a button and launch a hundred Tomahawk missiles every time a real alert comes across the wire. Though these tools don't necessarily allow that functionality, they do allow you to update your firewall to block an incoming attack that Snort has alerted on.
SnortFW
Tired of hand-configuring iptables when an attacker fires a Snort alert? SnortFW does all that for you. SnortFW analyzes incoming Snort alerts and (depending on the scan thresholds and danger level assignments) updates your iptables firewall to block the attacker. SnortFW also can e-mail alert information to any number of mailboxes for more intrusion response.
Though SnortFW code is still in the alpha development stage and has a few hitches, it's fast and effective at shutting down attacks as they happen.
Guardian
Guardian is an active response utility that updates firewall rules based on Snort alerts. Guardian updates firewall rules on the fly off of Snort alerts, actively blocking all incoming data from an attacker's IP address. Other configuration options allow you to "whitelist" certain machines to prevent false positives from causing your firewall to go haywire. Guardian includes shell scripts for
- Commercial firewalls (Checkpoint Firewall-1 and Cisco PIX)
- Open source firewalls based on Unix, BSD, and Linux (ipchains, iptables, ipfwadm IPFW, and ipfilter firewalls and packet filters)
Guardian lets you strike back at your attackers by blocking their work before it can harm your systems. What could be cooler than that? (Other than an automatic Tomahawk missile launch to the attacker's spider hole.)
Intrusion-management tools
Intrusion-management tools are considered the "whole package." The two tools covered here provide Snort configuration and management tools, reporting and some limited response capabilities. When you don't want to tickle 15 different configuration files, find some marginal Snort graphical utility, and tweak your firewall after every alert, these centralized management consoles are for you.
MIDAS
MIDAS is a centralized cross-platform network monitoring and network intrusion detection server that uses Snort as its base intrusion detection engine. MIDAS stores the raw incoming Snort packet information locally and only sends specific packet information when an alert occurs. MIDAS features centralized configuration management, network monitoring, and built-in RRD graphics support.
As of this writing, MIDAS is still in the alpha development stage, so it has some issues, but it's already shaping up as a solid, centralized intrusion detection server and manager, with nice support for distributed clients. Keep an eye on MIDAS. (We won't make a joke about gold, in case you were holding your breath.)
Demarc PureSecure
PureSecure is the total package when it comes to Snort tools. Integrating the Snort detection engine, PureSecure is a centralized intrusion detection and security suite. PureSecure is also a commercial product. PureSecure combines major aspects of network security into a centralized management console. It uses the Snort IDS engine, a host-based System Integrity Verification system, and an Extensible Service Monitoring system to keep your network security under one all-seeing umbrella. And an all-seeing umbrella is as cool as fried taters.
Looking at one console for all your network security needs is cool unto itself. PureSecure also can generate reports, give you a host-based intrusion detection system, and use that work-pig Snort for the network IDS workload.
 | PureSecure is only free for non-commercial use. |
IDScenter
IDScenter is a graphical front-end for managing Snort, alerts, and network security. IDScenter touts the following features:
- Provides a centralized console for monitoring Snort alerts, managing rules and configuration files, and distributing updates
- Generates handy reports in HTML from your SQL database
- Includes an e-mail, audible alarm and visual alarm notification system
- Allows you to write your own plug-ins for your firewall
The coolest thing about IDScenter is that it's Windows-based! The fact that it's one of the few stable, extensible, and feature-rich centralized Snort consoles available for Windows propels it to "cool" status immediately.
| 
