SnortView: Visualization System of Snort Logs

False detection is a ma jor issue in deploying and maintaining Network-based Intrusion Detection Systems (NIDS). Traditionally it is recommended to customize its signature database (DB) to reduce false detec-tions. However, it requires quite deep knowledge and skills to appropriately customize the signature DB. Inappropriate customization cause the increase of false negatives as well as false positives. This paper proposed a visualization system of NIDS log, named SnortView, which supports administrators to analyze NIDS alerts much faster and much more easily. Instead of customizing the signature DB, we propose to utilize visualization to recognize not only each alert but also false detections. The system is based on 2-D time diagram and alerts are shown as icon with different styles and colors. Moreover, the system introduces some visualization techniques such as overlayed statistical information, source-destination matrix, and so on. The system was used to detect real attacks while recognizing some false detections.


  1. 1.Hideki Koike, Kazuhiro Ohno, SnortView: Visualization system of snort logs, workshop on visualization and data mining for computer security (VizSEC/DMSEC-04), 11th ACM Conf. on Computer and Communications Security (CCS 2005), ACM, pp.143-147, 2004.