Snort Related Files


January 5, 2001
VERSION 1.7 RELEASED!

Snort-1.7 Source Code

Snort-1.7 binary RPM

Snort-1.7 source RPM

Download Snort-1.7 for Solaris

Snort-1.7-win32 Binary (Standard)

Snort-1.7-win32 FlexRESP Binary

Snort-1.7-win32 MySQL Binary

Snort-1.7-win32 Source Code
 
 
Requirements:

You MUST have libpcap installed in order to use Snort!  It is available at ftp://ftp.ee.lbl.gov/libpcap.tar.Z

Some operating systems (e.g. all the BSD's) come with libpcap alredy installed, make sure you don't have already libpcap installed before grabbing it from LBL!

If you want to use the flexible response code, you need to install Libnet 
Learn More


 

Rules language

Preprocessors Detection Plugins Output Plugins Command Line Packet Printout Bug fixes/tweaks Documentation

Older versions of Snort
 
 
Snort 1.6.3
Source Tarball: snort-1.6.3-patch2.tar.gz
Win32 Source: snort-1.6.3-win32-source.zip
Win32 Binary snort-1.6.3-win32-static.zip
Solaris Package Snort 1.6.3-sol-2.6-sparc-local
Source RPM snort-1.6.3-2.src.rpm
Binary RPM snort-1.6.3-1_chroot.src.rpm
Snort 1.6
Source Tarball: snort-1.6.tar.gz
Win32 Source: snort-1.6-win32-source.zip
Win32 Binary snort-1.6-win32-static.zip
Solaris Package Snort 1.6-sol2.tar
Source RPM snort-1.6-0.src.rpm
Binary RPM snort-1.6-0.i386.rpm


Snort.org Rulesets: Offline

Snortfull.conf - Newest ruleset release (01-25-2001)

--Individual Rules by Type-- Updated 01/25/2001
 
Backdoor_Activity Backdoor_Attempts Backdoor_sig_based
DDoS High false Rules Exploits
Finger FTP ICMP
Misc Netbios RPC
Scans SMTP Telnet
Virus Web-cgi Web-ColdFusion
Web-FrontPage Web-IIS Web-Misc

Newest Beta Rules - updated 01/25/2001


Snort 1.6 Contributions:
 
 
Tool
Version
Description
Author
Snort-panel v1.0 build 10 Win32 GUI front end for the Win32 version of Snort Xato Network Security, Inc
address_config.sh v0.2 Handy script for laptop users that change their IP address frequently. This automates the process of updating your Snort rules file. Sten Kalenda Apeldoorn
Dupl v0.1.7 Snort rules beautifier, removes duplicate rules from snort rules files Norz.org
Guardian v1.0 Guardian watches the output from Snort, and uses ipchains to deny any further packets from the attacker to get to the system. Anthony Stevens
snort_stat.pl v1.3 Perl script that provides a statistical analysis of syslog alerts produced by Snort. Yen-Ming Chen
snort2html V1.1 Generates web pages from snort alerts Danial Swan
Snortnet beta Distributed logging for Snort Fyodor Yarochkin
snort-sort.pl v0.02 This script produces a sorted list of snort alerts from a snort alert file Andrew Baker
snortwatch-0.7 v0.7 This is a little tool to help keep track of alerts generated by Snort.  I've mostly tested snortwatch against version 1.5.x of snort and although the output of 1.6 seems very similar if not to say identical, theremay still be some type of alert I haven't come across that could throw off the parsing. Yves Perrenoud
RotateLogs v1 This script is used to backup and then destroy log files by backing them up (optional) then removing them.

From Nick---
This is not as complete and has little error checking. A complete version is in the works with a lot more functionality...believe me. 

Nick Rogness
SnortSnarf v111500.1 This program creates a set of HTML pages to allow you to quickly and conveniently navigate around output files of the Snort intrusion detection system. Silicon Defense
snort_log_rotate v1 Logfile roation script for snort Jim O'Gorman
IDMEF XML plugin Beta Beta XML output plugin that produces IDMEF formatted logs Silicon Defense
ACID v0.9.5b9 ACID is a PHP-based analysis engine to search and process a database of
security incidents generated by the NIDS Snort.
Roman Danyliw/Jed Pickel
AIRCERT Project
snortlog v1 Syslog analysis script Angelos Karageorgiou
snort_cleandb.pl v1.7 This script goes through the data base and deletes the oldest entries to make room for more fun.

Only works w/ postgresql right now but should be trivial to make work w/other db's

Chris Green
hog-vim v1 Adds syntax highlighting for Snort rules to the best editor in the world, vim. Phil Wood
ruleset-retrieve v1 Obtains ruleset from www.snort.org or whitehats.com and inserts your ip address into appropriate areas.  Starts snort -c <ruleset> -D Vacuum
Snorticus v1.0.3 Snorticus is a collection of shell scripts designed to allow easy managment of Snort sensors. It allows you to routinely collect Snort sensor data, analyze the data
via SnortSnarf, and easily maintain rule files.
Paul Ritchey
IDScenter v1.08 IDScenter is a tool for setting up SNORT for Win32 Ueli Kistler
Getcontact v1 Perl Script to pull contact information out of snort_portscan.log files.  The program looks up the source ip numbers in the various registry databases and outputs the email address with the relevant portion of the log. Robin Stubbs
LogSnorter v 0.1 This perl script scans syslog messages (typically in real-time), picks up any "reject packet" messages generated by Ciscos or Linux ipfw/ipchains and logs them into your central Snort SQL database. This allows you to "expand"
the reach of snort without having to put snort out into wierd areas - like in front of your perimeter router/firewall...
Jason Haar
WinSnort2HTML

With VB5 runtime libraries

Without VB5 runtime
v1 This first utility is WinSnort2Html which takes the alert log files and parses them into a an HTML page. Since it is written in Visual Basic, the program requires VB 5.0 or later runtime libraries. The program runs on Windows 95/98/NT4/2000. There are two download links below; one includes the VB 5 runtime libraries and the other does not. Please check the readme file that contains some important information about configuring Snort to work with WinSnort2Html. WinSnort2Html is based on the perl script snort2html by Dan Swan. Chris Koutras
Girr v1 GIRR - Guardian IP-Chains Rules Remover
GIRR is a script which can be used along with
Guardian and snort.

When Guardian is run along with snort, it starts blocking
IP Addresses using ipchains. This is good when the sysadmin is not near the server or when he is away and no one else knows what to do.
The ipchains rules list may become huge and unmanageable. This script helps sysadmins to remove the ipchains rules.
Removing the rules should not be a problem, since if the hacker tries the same attack again he gets blocked again.
Mahendra


"Quick and Simple" Log Rotation  - Author: Eric Nevalainen
#!/bin/sh
gzip -9 -c /var/log/snort.alert >> /var/log/snort.alert.`date "+%m%d%y"`.gz
rm /var/log/snort.alert
touch /var/log/snort.alert


From Bill Richardson
Great bash script to be run as a cron job....

if [ -f "/sniff/alert" ] ; then cat /sniff/alert |mail -s
From-ServerName-Snort-Alert youremail@domain.commoremail@domain.com
 cat /sniff/alert >> /sniff/full-alert
        cat /sniff/whoami >> /sniff/alert
        cat /sniff/alert |smbclient -M workstation1
        cat /sniff/alert |smbclient -M workstation2
        rm -f /sniff/alert
fi

The first line looks for the alert file in this case in the /sniff directory if present send the contents pipes to mail
the -s is the Subject and you can add as many email addresses as you like.

The second line  takes the alert file and adds it to a file called full-alert "You can call this what you want"
the full-alert file in this case will have a copy of all alerts

The third line takes the contents of the file whoami "This is a text file that contains the name of the server running snort" adds it on to the end of the alert file. Now you can see what Snort Server the message came from....

Line four and five sends the contents of the alert file + the server name that came from the whoami file to what
ever box will take a winpopup message. Just add more lines per every workstation that you want to see the popups.

Line six deletes the alert file. Now when your cron job runs every "x" minutes IF and only IF the alert file is present will you get email and a winpop message.

With snort I could not get the alert file to do more than one thing. I could send alerts via SMB, or to the alert file but not both. Now I can do both plus e-mail.


From Craig Smith

Net-SnortLog-0.1.tar.gz | PassiveOS.tar.gz

Craig Smith has finished writing both the Passive OS detection for snort (log_dir and alert file) as well as a Perl module for manipulating snort log files.  The perl module (Net::SnortLog) has a few different functions.

It can gather a list of files from the log_dir and put them into an array for you (like all TCP files).
It can parse a snort log file into a special datastructure (either an alert file or one from the above function)
It can use the next_pkt function to analyze packet by packet with a structure like:

$packet->{SRCIP}
$packet->{DSTIP}
$packet->{DATA}
etc...

It should detect almost every part that is logged by snort with just about any option at any layer (not -C).  But you don't have to worry much about the options from a programmer stand point.  It will figure out what options where used.  Hopefully this will make it easier for some of the other perl developers for Snort to start making reports on the log_dir as well as the alert file.