Small snort alerts hack
-
I made a small hack to snort gui alerts so I could see the packet that triggered the alert. It kind of munches the page a bit but I find it useful.
First you have to enable "Log to a tcpdump file" checkbox.
Then backup /usr/local/www/snort/snort_alerts.php
Then get the new one here:
http://pastebin.com/xfnXnGDA
Check it over of course (sdiff anyone?) to see what I did was legit.You might not want to run it on slow machines with huge alert lists. I rotate my alert logs regularly and it works fine.
-
You can code it to be optional on the type of alert chosen in snort.
You can code to use alerts in tcpdump format or normal one and then make your code optional.And also submit through redmine.pfsense.org as Feature.
-
Made it more useful and submitted it
http://redmine.pfsense.org/issues/2008tcpdump format was problematic and doesnt add much but not having to run snort to interpret the dump would be nice. Cant get snort to dump only alert packets in binary (tcpdump) format. It wants to dump the whole world or not at all.
Not sure how to make optional on alert type beyond hard coding a list or adding a checkbox to every rule or category.