Simple Snort Monitor

by J. Edward Durrett

A while back, there was a fairly simple piece of software for monitoring Snort alerts called BASE - Basic
Analysis and Security Engine. Although it was easy to set up and provided a nice window into what snort is doing,
the code has not been maintained since 2010 [1]. I especially liked it because it was lightweight and did not
consume much resources. For sure, SEIMs like OSSIM offer far more features and, especially for larger deployments,
make a lot more sense.

I toyed with the idea of updating the BASE code to PHP7, but decided that I preferred to have something that would
do exactly what I wanted while consuming minimal resources. The result is available at this github page or in plain text here.

The usage is straightforward :

./  alerts

This brings you to al alert summary which, depending on your environment of course, looks something like this:

177 [124:1:1] (smtp) Attempted command buffer overflow: more than 512 chars  
175 [139:1:1] (spp_sdf) SDF Combination Alert  
136 [1:2403378:3316] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 40  
115 [1:2403440:3316] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 71  
112 [129:5:1] Bad segment, adjusted size <= 0  
111 [1:2402001:4345] ET DROP Dshield Block Listed Source group 1  
 77 [1:2002087:10] ET POLICY Inbound Frequent Emails - Possible Spambot Inbound 
Options: alert (d)etail | show (s)tats | (q)uit:

Requesting more detail through the d option lets you see more detail (I obfuscated the ips for this posting)

[**] [129:5:1] Bad segment, adjusted size <= 0 [**] 
[Classification: Potentially Bad Traffic] [Priority: 2] 
03/06-19:18:53.219089 -> 
TCP TTL:112 TOS:0x0 ID:2619 IpLen:20 DgmLen:41 DF 
***A**** Seq: 0xD5BB074C  Ack: 0x4F8283BA  Win: 0x100  TcpLen: 20 
See full (p)acket or (r)eturn or (q)uit:

And choosing p reveals the packets that caused the alert:

0x0000:  0016 3f21 a460 0016 3f21 9e00 0800 4500  ................ 
0x0010:  0028 9e87 4000 3306 50a3 ca5c 85fd cc6d  .(..@.3.P..\...m 
0x0020:  3bde e316 01bb 575a b4be 0000 0000 5004  ;.....WZ......P. 
0x0030:  0000 6650 0000   

This makes setting up and tuning a new snort instance fairly simple. It is not a full packet analysis suite,
obviously taking a full packet capture into wireshark is the preferred method for deep analysis.


Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.