Snort Alert Log Reverser
I’ve been using Snort has a host-based IDS on my laptop for quite a while now and rather than expanding my attack surface by installing a database server for logging, I am simply logging to the standard flat file format. In this format all snort alerts are logged to an alert.ids file in the C:/Snort/log directory. In previous instances I’ve just reviewed this log frequently but I’ve had the desire for quite some time to have something a bit more realtime. I’m not sure if I’ve found the best solution, but I’m currently using RainMeter to display the most recent Snort alerts on my desktop.
I did run into one problem which had a solution I think others might be interested in. Snort logs the newest alerts it recieves at the bottong of the alert.ids file, which makes gathering the most recent alerts via perl regular expressions a bit of a complicated task. I brought this problem to my analysis team at EWA and Jason Smith, who has just started learning Perl, developed a script that alleviates this problem. The script takes the last alert in the alert.ids file and places it at the top of a new “parsed” file. The second to last alert in the alert.ids file is then placed as the second alert in the parsed file, and so on and so forth. Also, as a bit of expanded functionality the script only grabs the first four lines of every alert which gives the alert name, classification, priority, and basic packet information. This makes for a more condensed and concise output.
You can download the script here: snort_parser.zip
As for implementation, I have setup a scheduled task that runs the script every 5 minutes so that the RainMeter on my desktop is updated very frequently. One small issue I noticed was that when this task ran it would pop up a command prompt window momentarily which was quite annoying. In order to combat this I created a VBS script that runs the perl script in the background. Rather than running the perl script, the scheduled task runs the VBS script which calls the perl script as an argument so that the process is invisible to me.
You can download the VBS script here: silent_launcher.vbs
Feel free to download, use, and distribute these files as you see fit.
