weasel first steps

The Views

Weasel allows you to analyze the snort alerts by means of different views, showing different aggregations of the alerts contained in the database. The views are accessed by the links in the light green section of the navigation header. The currently active view is highlighted in bold. you can simply switch between the different views by clicking on the links.

To further refine the analysis, it is possible to define filters. Each view will only aggregate those alerts which pass the currently active filter. If there is a filter in effect, it is displayed in the box "Filter Criteria". Filter and Views are independent concepts, which means that the currently active filter stays in effect when you switch the view.

You can mix and match filters and views to nagivate in the dataset. Please note that the filter state is not global, but rather per window (passed along via the URL), so you can work with different filters in different windows or tabs at the same time.

In each view, there is a table containing the results of the query. The table headers have brackets, which allow you to sort the table. You can also see which sorting is currently in effect as the corresponding bracket is highlighted in grey.

In case your query has more than fifty rows, weasel will only show the first fifty. You can go on to the next page by the links under the table. (Note that this number can be adjusted in the User Interface section of the Admin Pages.)

Some fields are hyperlinks that will switch views and add expressions to the current filter automagically. For example, suppose that you see in the Unique Alert View, that the alert "P2P Napster login" (sid 549) came from 19 different Sources in your network. Clicking on the number 19 in the "Sources" column and "P2P Naptser Login" row will:

• change the view to the IP list, to display Source IP's, and
• add a filter for the "P2P Napster login" (sid 549) alert.

The query that you get should return exactly those 19 Source IPs, which had Napster Logins detected. This allows you to quickly and intuitively navigate in the alert dataset.

Note that the Top Ten statistics on the "Overview Page" are also linked as described above, so they provide a convenient starting point for your analysis.

Searching and Filters

Click on "New Search" in the Navigation Header. A form to start a custom search will apear.

The form is divided into sections, containing different kind of fields. A field is ignored if it is left empty. For example, to search for alerts about traffic from your network to the outside world within the last hour, click on "Add Relative Time" in the section "snort" and select "hour(s)" in the dropdown. Then in the Section "IP", "Address", select:

    Source == 192.168.0.0/16

    Destination != 192.168.0.0/16.

Finally click on submit to start the search. Behind the scene, new filters will be defined and added to the current filter criterion.

As you can see, the filter is composed out of filter atoms or tokens. You can delete individual tokens by enabling the corresponding checkboxes in the "Filter Criteria" box and then clicking on "Remove", or clear the entire filter by clicking on "Remove all Tokens". Another way to start a new search is to click again on "New Search" in the page header. If you want to refine the current filter by adding a new token, click on the "Add Filter" link instead.

Weasel allows you to store frequently used filters in a persistent form. For example, if you want to check frequently if machines of your home network are attacking someone else's network, you can define this query as a persistent filter, so you don't need to enter it again and again. The administrative page "Manage Filters" allows you to create, delete and edit persistent Filters.

In order to load a persistent filter, you first need to flip-out the filter box by clicking on the "hide/show" link. If you click on the name of the persistent filter, it will replace the currently active one. If you click on the "(add)" link besides the persistent filter, it will be merged to the active one.

Alert Detail

Now we will have a closer look at an alert. All alerts are assinged with an unique ID when they are logged into the database, independent of the alerts origin. To get the details of an alert, you must click on its ID on the "Alert Listing" view. The ID is actually composed of two numbers. The first is the number of the alert within the currently active query, and the second number is the alert's unique ID coming from the database.

The details about this alerts are structured in several sections. You can see which sensor has reported the alert, which signature has fired. You also can see the usual network header fields. The IP.proto field and the TCP.flag fields have a mouse over tool tip, that gives you a human readable name of the protocol and states if the tcp flag combination is valid after RFC.

Note that the context of the alert listing is still around, which means that you can browse to the next alert by clicking the "Next" link.

The packet payload field contains a hex dump of the entire packet. Each byte contains again a mouse over tool tip, stating the name of the field. you can color the individual header fields by clicking on the "Show Fields" Button. You can also get tsharks/tethereals opinion about that packet by clicking on the "Show Tshark" Button.

Congratulations