Snortalog 2.4.3

A powerful Perl script that summarizes Snort logs
  2 Screenshots
Snortalog is a powerful Perl script that summarizes Snort logs, making it easy to view any network attacks detected by Snort.

It can generate charts in HTML, PDF, and text output. Snortalog works with all versions of Snort, and can analyze logs in three formats: syslog, fast, and full snort alerts.

Moreover, it is able to summarize other logs like CheckPoint Fw-1 (NG and 4.1), Netfilter, IPFilter, Packet Filter, CISCO PIX, and Lucent BRICK in a similar way.

Developer comments

There are several reasons why I choose to develop my program in perl.
I have been working with SNORT for 5 years and I couldn't find any existing scripts that were able to report potentials attacks quickly.

My first goal was to generate a text output (ASCII) to provide many sorting and filtering statistics. Eventually, I improved my program to generate charts (HTML) for a best visualization and soon a GUI.

You may ask why not use a MySQL database or similar like ACID ??? As a member of SNORT's mailing list for a long time ago, I often read questions about this error "Fatal error: Maximum execution time of 180 seconds exceeded".

You can regularly purge your database but this task could prove tough for the administrator. Moreover, in a network with a lot of NIDS and several thousand log alerts, a request in a database will have a long response time.

The use of a script like SnortALog is more easier, efficient and appropriate. Do your own tests and send me your feedback.

Main features:

  • Create HTML, PDF and text reports
  • Generate GIF, PNG or JPG graph in HTML output
  • CLI (Command Line Interface) and GUI (Graphic User Interface
  • Works with Syslog, Fast and Full SNORT alerts
  • Works with all SNORT preprocessor (spp_stream4, spp_portscan, spp_decoder, flow, flow-portscan ...)
  • Has the possibility to link the SNORT signature to the web reference attack description
  • Works with "-I" Snort option to specify an interface and add report
  • Work now with "-e" Snort option (Display the second layer header info)
  • Use a specific plugin for generate your owns reference's SNORT rules
  • Can specify order (acsending ou descending)
  • Can specify the number of occurences to view
  • Can resolve IP addresses and domains
  • Add colors for a best visibility
  • Possibility to do filtering (if you only want a specific IP source or high severity snort logs)
  • Works with CheckPoint Fw-1 (4.1 and NG) in syslog and fw logexport command
  • Works now with CheckPoint Fw-1 SmartDefense
  • Works with Netfilter and IPFilter syslog logs
  • Works now with syslog CISCO PIX logs (Thanks to Edwin)
  • Works on Windows box (basic option: no graph)
  • Works with Lucent Brick Firewall logs

last updated on:
March 30th, 2011, 7:05 GMT
license type:
GPL (GNU General Public License) 
developed by:
Jeremy Chartier
ROOT \ Utilities
Download Button

In a hurry? Add it to your Download Basket!

user rating



Rate it!
2 Screenshots
What's New in This Release:
  • Add JUNIPER NetScreen log detection
  • Add TIPPINGPOINT log detection
  • Correct some typos or minor errors in messages or comments
  • Verify CHECK POINT Fw-1 R65 log detection direct from "fw log -n" command
read full changelog

Add your review!