MRTG Snort Alerts
Posted on February 20th, 2009
Example method of graphing Snort alerts from a Postgresql database
#!/usr/bin/perl -w
# SevenL Networks Inc.
# Ash Palmer
# 2009-02-20
#
use strict;
use DBI;
use DBD::Pg;
my $host=”localhost”;
my $port=”5432″;
my $database=”snort”;
my $user=”snort”;
my $password=”your_database_password”;
my $dbh = DBI->connect(“dbi:Pg:dbname=$database;host=$host;port=$port”,
$user,
$password,
{AutoCommit => 0, RaiseError => 1, PrintError => 0}
) || die “Couldn’t connect to database: $DBI::errstr\n”;
my $sql = qq{ SELECT COUNT(timestamp) from event WHERE extract(‘epoch’ from now()-timestamp) < 600 };
my $sth = $dbh->prepare( $sql );
$sth->execute();
my $data = $sth->fetch();
for my $element (@{ $data} ) {
print “$element\n”
}
$sth->finish();
$dbh->disconnect();
print “0\n”;
MRTG Configuration file.
WorkDir: /usr/pkg/share/httpd/htdocs/mrtg
Target[snort]:`/usr/bin/snortpg.pl`
MaxBytes[snort]: 100
Title[snort]: Snort
PageTop[snort]: Snort
YLegend[snort]: Alerts (min)
LegendI[snort]:
LegendO[snort]:
Options[snort]: nopercent,growright,gauge,noinfo
ShortLegend[snort]:
RunAsDaemon: Yes
Interval: 10
Starting MRTG
# /usr/pkg/bin/mrtg /usr/pkg/etc/mrtg/snort.conf
This method has been tested on NetBSD but im positive it will work on all Linux and UNIX versions with a little modification.
Thanks,
Ash Palmer
Network Security Logistics