Snort Gallery

Snort is a free, lightweight intrusion detection system developed by Sourcefire. This demo shows how easy it is to read and visualize network logs stored in the Snort database.

Snort Dashboards

This is a demonstration of HTSQL and HTRAF using a live Snort intrusion detection database. We have two dashboards that uses no code except for HTML, Javascript, and some HTSQL Queries.

The Daily Overview dashboard provides a graphical and tabular summary of today’s activity.

The Event Detail dashboard lists the 10 most events, where clicking an event shows detail such as protocol header information and data payload.

Interesting HTSQL Queries

The HTSQL interface for snort data source is at http://snort.htsql.org/ — http://snort.htsql.org/event.limit(10).

Last 10 source IPs

This query displays source IP addresses from the last 10 events.

◥/iphdr{inet(ip_src)}.sort(event.timestamp-).limit(10)

Unique destinations for a given source

This query displays all distinct destinations IP addresses and TCP ports from source IP 216.243.150.122.

◥/distinct(event{inet(iphdr.ip_src),
                inet(iphdr.ip_dst),
                tcphdr.tcp_dport}
               ?inet(iphdr.ip_src)='216.243.150.122')

Range of IP addressees

This example shows all pairs of source and destination IPs where the source IP belongs to the block 10.90.90.0/24.

◥/distinct(iphdr{inet(ip_src), inet(ip_dst)}
     ?inet(ip_src)>='10.90.90.0'&inet(ip_src)<='10.90.90.255')

Last 500 events for a specified host (CSV)

This query shows the most recent 500 events for host 216.243.150.122. The output is in CSV format and contains the timestamp, destination IP address, TCP destination port, UDP destination port, ICMP type, signature name and signature class name.

◥/event{timestamp-,
       inet(iphdr.ip_dst),
       tcphdr.tcp_dport,
       udphdr.udp_dport,
       icmphdr.icmp_type,
       signature.sig_name,
       signature.sig_class.sig_class_name}
      .filter(inet(iphdr.ip_src)='216.243.150.122')
      .limit(500)/:csv

Number of IP addresses per signature

This query displays the number of unique IP addresses for each detected signature.

◥/signature{sig_sid, sig_name,
           count(distinct(event{iphdr.ip_src}))}

Unique IP addresses and signatures

This query displays all unique IP addresses and detected signature names with the number of times the IP has been detected with the signature.

◥/distinct(event{inet(iphdr.ip_src),
                signature.sig_name}){*, count(^)-}

High severity events for today

This query displays all source and destination IPs that caused high severity events today along with signature name and timestamp.

◥/event{inet(iphdr.ip_src),
       inet(iphdr.ip_dst),
       signature.sig_name,
       time(timestamp)}
      ?date(timestamp)=today()&signature.sig_priority=1