|
|
Tools: Pig Sentry |
|
Latest Version: 1.2 released 21-Jan-2002
Pig Sentry is a lightweight script which is run against a Snort alert log. This tool is also available at snort.org. ACID, Snort Snarf and other reporting utilities are very nice for after the fact perusal, but not for up-to-the minute information. Pig Sentry is for real-time alerts, without getting spammed. It is intended for a high volume of alerts (the site it was implemented for, sees 200,000 to 300,000 alerts a day).
The way Pig Sentry works is it maintains a state table of recent alerts. It will send a notice if there is a new alert, or if there is an increase in the general trend or pattern of existing alerts. The trend notification is fairly configurable. It also expires alerts after there has been no activity with them, for a while.
Pig Sentry also checkpoints its state information to a file periodically and when it exits, and this same state store file is loaded when it starts up, so it can easilly be rolled into a lot rotation mechanism. The store file is not horribly readable, but is somewhat useful to peek at if you are interested to know the current profile of alerts on your site.
It was written to work against snort 1.8.1 release, with full log output (sorry!) It should be easy for this to be fixed, I just havn't the inclination (since we only use full output on all our snort IDSs).
It also is written in perl, and is available with the GPL license.
Anybody wishing to make changes can send me updates via email.
[Tue Oct 2 03:13:25 2001] alert: Trend increase of 1221% for MISC Large ICMP Packet [Tue Oct 2 04:19:27 2001] alert: New event: WEB-IIS encoding access [Tue Oct 2 04:31:32 2001] alert: New event: WEB-FRONTPAGE fourdots request [Tue Oct 2 06:56:50 2001] alert: New event: BACKDOOR NetMetro Incoming Traffic [Tue Oct 2 10:16:08 2001] alert: New event: WEB-IIS view source via translate header [Tue Oct 2 10:47:56 2001] warn: Trend increase of 566% for ICMP redirect net
It is a small script, most functionality is now available from the command line, described with --help:
PigSentry 1.2, Usage:
pigsentry [ options ]
General Options:
-l {log} Specify logfile to monitor, default STDIN. Can also use
--logfile={log}
-t {path} where to store temp files? default tries /var/run then
current directory. Can also use --tmpdir={path}.
-m {addrs} Deliver notices via email to {addrs}, not STDOUT. Can also
use --mail={email}
--mailbin={mailer}
What to use to send mail, default=mail
-d Daemon mode, will fork process. *Must* be used with
logfile option other than STDIN. Can also use --daemon
-s Send notices also to syslog. Can also use --syslog
-k Kill a daemon proccess (previously spawned with "-d"),
can also use --kill
-h Show this help.
Trend Options:
--warn-throttle={seconds}
How long since last trend alert, before sending a new one?
It is probably bestto have this greater than double the
trend poll interval, default=601 secs
--baseline-bump={x}
If the median is less than this, lift both the median and
last hits up by this amounts, then figure percentages. Do
not set to zero (div/0 errors). It is not recommended
setting this below 1, default=1.5
--threshold-alert={x}
Alert on a % spike over average, default=10
--threshold-warn={x}
Warn on a % spike over average, default=5
--poll={seconds}
How many seconds between trend intervals? default=300
--retention={x}
How many intervals to keep in trend stretching this may
decrease notices. default=12
--state-checkpoint={seconds}
How often to checkpoint state table to disk, default=300
--state-expire={seconds}
How long does data stay in state table, default=86400
Usage Examples:
Basic syntax:
tail -f /var/log/snort/alert | pigsentry
Daemon mode, also sending notices via email:
pigsentry -l /var/log/snort/alert -m somebody@domain.com
Kill a previously launched pigsentry:
pigsentry -k