SnortAlog on OSX

From MyWiki

(Difference between revisions)
Jump to: navigation, search
Admin (Talk | contribs)
(Created page with 'Since I've moved completely from my Debian laptop to MacBook I needed to migrate [http://jeremy.chartier.free.fr/snortalog SnortAlog] too. It's extremely useful tool to analyse t…')
Newer edit →

Revision as of 16:48, 13 November 2009

Since I've moved completely from my Debian laptop to MacBook I needed to migrate SnortAlog too. It's extremely useful tool to analyse the logs collected from my Cisco ASA device.

Here is some brief notes what did I do to make it run on my MacBook under Leopard.

I'm using MacPorts on my Mac to help me get the usual set of OSS tools I'm used to, so it will spin around Perl 5.8.9 installed from ports.

First, let's see what's required: SnortAlog requirements:

 Please to check out the perl prerequisites librairies for :
 Generate Charts :

 GD-1.19.tar.gz for Gif charts or your own release
 GDGraph-1.39.tar.gz
 GDTextUtil-0.85.tar.gz
 
 Generate PDF report :

 htmldoc-1.8.23-source.tar.gz
 HTML-HTMLDoc-0.07.tar.gz

I skipped the UI bit and the WhoIs library intentionally, as I don't really use either and the script works just fine without it.

So, first I installed htmldoc from MacPorts:

$ sudo port install htmldoc

Then, I install the perl modules required (GD, GD::Graph, HTML::HTMLDoc) like that:

$ sudo /opt/local/bin/perl -MCPAN -e shell
cpan[1]> install GD

Note: File /tmp/asa.log.13112009 is the logs I have collected for the last 24 hour period from my ASA sending it to syslog. Mind you there is one thing you need to do before you feed it to snortalog. It doesn't know how to process entries from ASA, but it know how to handle PIX. So, my little workaround is to replace %ASA with %PIX throughout the log file. You typical log entry looks like that:

Nov 12 18:56:04 172.17.164.1 %ASA-6-302013: Built inbound TCP connection ....

The line snortalog expects would look like this:

Nov 12 18:56:04 172.17.164.1 %PIX-6-302013: Built inbound TCP connection ....

All you need is a bit of sed magic:

$ sed -e 's/%ASA/%PIX/g' /tmp/asa.log.13112009 > /tmp/asa.log.13112009_ && mv /tmp/asa.log.13112009_ /tmp/asa.log.13112009

Then I just go into the directory where I have my snortalog script installed and run the usual command to give me report in PDF format:

./snortalog.pl -file /tmp/asa.log.13112009 -report -o /tmp/asa.log.13112009.pdf

Note: make sure you have the correct path to perl binary in the header of the script. In my case (perl installed from MacPorts) it's /opt/local/bin/perl.

That should be it.

Personal tools