I'am working on task where my security team is asking me to provide a pcap file under the folder /var/log/snort. They have picked up a source IPADDRESS from an alert file and they need to do more analysis on pcap files (i.e. snort.log.xxxxxxx) for that source IP address.
The alert file and snort.log.xxxxx files are in the same folder. How to give them exact snort.log.xxxxx file for the analysis? Please give some commands or any technique to do this. I am very new to this field I am handling the Linux machine (Centos 7) where snort is dumping the logs.
11 Answer
Like you said, by default, Snort will log two ways:
alertfile - Contains alert metadata in text formatsnort.log.##########- PCAP of the packet(s) that triggered the alert
The way I would go about doing this (with only basic linux bash commands) would be:
The single alert approach
To find alert entries:
Search the alert file. You can search by IP address or by alert name using grep.
grep "PATTERN" /var/log/snort/alertA typical log entry line would look like:
01/04-03:28:11.959559 [**] [1:1000001:1] Signature_Name [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 192.168.1.1:80 -> 192.168.1.128:39590To find the corresponding PCAP file:
Then, to figure out which file was written, you can either look at the modified times in a long directory listing (ls -l), or you can convert the timestamp (don't forget to add the year and put a space between the date and time) to epoch time using the following command:
date "+%s" -d "01/04/2018 03:28:11.959559"Output:
1515054491Then look for a file called snort.log.1515054491. That should contain the PCAP data.
If you need multiple logs for one IP address
This is the sledgehammer approach. If they want entries from both files only pertaining to a single IP address, this is what I would do:
Alert file entries
Grep for the IP address and then write output to a separate file.
grep "192.168.1.1" /var/log/snort > /tmp/alerts_192.168.1.1.txtThat should just filter on only lines where the IP address appears and redirect it to a new file that you can provide the security team.
PCAP files
I would exercise caution in doing this since the snort log directory may be very large and iterating over a large group of files could put strain on a system (especially if it's a sensor with a very high traffic volume). I would recommend using a file mask for an approximate time frame for the data you are looking for. Keep in mind, this time frame needs to be in epoch format.
Say the team wants everything from now going back an hour ago (3600 seconds). Epoch timestamp is 1515054491. Subtract 3600 from that and you get 1515050891.
1515050891 - Start
1515054491 - End
151505???? - File mask (close enough)I would then create a for loop to iterate through all of those files and perform a tcpdump command to filter only on the IP address in question.
tcpdump -r infile -w outfile "BPF"The options:
- -r is for read from a file (as opposed to starting a live capture from an interface)
- -w is for write output to a file
- "BPF" - Berkley packet filter (In this case, it would be "host 192.168.1.1" to specify any packets with that IP.)
And now, the for loop:
cd /var/log/snort
for file in snort.log.151505????
do tcpdump -r $file -w /tmp/$file "host 192.168.1.1"
doneAnd now, you should have a copy of all of your alert files in the /tmp folder, but only with data pertaining to that specific IP address. If you have mergecap installed, I would recommend combining all of these into a single PCAP file using the following:
mergecap -w /tmp/snort_log_192.168.1.1.pcap /tmp/snort.log.*You should know have two files in /tmp:
- /tmp/alerts_192.168.1.1.txt
- /tmp/snort_log_192.168.1.1.pcap
Then, provide those files to your security team.
2
