By default, Snort stores logged data for each IP address it captures in a separate directory. In a typical installation, the number of directories can quickly grow into the hundreds, making for an unwieldy collection of data.
Luckily, Snort provides an easy fix. Simply use the
<font face="courier">-r</font>command-line option and store the captured data in tcpdump format. This method has the added benefit of being much faster, decreasing the likelihood of dropped packets or missed intrusion attempts.
Now it's analysis time. Getting useful data from that 25 MB log file could be an overwhelming task. But don't worry; two user-contributed Perl scripts will make your life much easier.
Snortlog, written by Angelos Karageorgiou, looks up the hostnames of flagged machines -- Snort outputs only the IP address -- and writes them to a list. snort_stat.pl, by Yen-Ming Chen, uses the logs to generate a good selection of statistics about current alerts. I highly recommend that you download and use both.
As we wrap up this series on intrusion detection, it's time to start thinking about the best place to deploy your new system. Don't forget that Ethernet switches block all traffic that isn't specifically destined for the host on a given port. If you connect a probe to a switch port, you'll see only broadcasts and packets addressed to the probe -- not very useful for intrusion detection.
You have a couple of options. Most switch vendors allow their hardware to take packets received on one port and copy them to another -- a technique called port mirroring. This is a low-cost way to get started, but it can place an unwelcome burden on the switch CPU if used on a busy network.
I recommend buying an inexpensive four-port repeater. Insert the repeater between the backbone switch and the segment of the network you're interested in monitoring, plug the probe into an empty port on the repeater, and you're set.
Next time, I'll talk about ways you can get a handle on network bandwidth hogs.