snorbert is a snort data viewer, loosely based on snorby. It is written in C# and uses .Net 4.5.
The aim of the application is to provide a fast, usable interface for accessing snort data. Depending on the snort deployment, the underlying data set can be extremely large, so care has been taken to optimise the data access. snorbert has various useful features:
- Paged data access
- Configuration for multiple snort instances
- Signature based grouping of events
- User configurable searching
- Correlation of snort signatures to events for easy viewing of the signatures
- Query integration with NetWitness for quick session identification
- CsvHelper: CSV output
- Be.HexEditor : HEX view of packet data
- IP Address Control : Easy validation of IP addresses
- SQL Server CE: SQL Server CE used for rule storage
- MySql : Access to snort MySQL databases
- NPoco: Data access
- ObjectListView : Data viewing via lists
- Utility (woanware) : My helper library
- Microsoft .NET Framework v4.5
- snort/barnyard database change (see below)
snorbert requires a number of changes to the snort/barnyard database schema. The following files should be run to create new tables:
- Database\acknowledgment.sql
- Database\acknowledgment_class.sql
- Database\exclude.sql
Then the data population script (acknowledgment_class.data.sql) should be run to populate the acknowledgment_class table. The exclude table facilities the ability to exclude particular rules, IP addresses etc. The acknowledgement tables allow for better collaborative working so that one analyst can see that another analyst is already working on a particular rule.