Originally Posted by jaz7324
I'm trying to find out what is the easiest way to read a snort analysis?
Two problems with your post. One, you haven't given any details what data you have and there's the phrase "the easiest way
". While most frameworks or applications with a point-and-click interface may lead you to believe otherwise, simply put there is no way you will be able to perform -=any=- analysis without first having to gain knowledge
. To understand what Snort logs you need to understand what triggers those rules. In some cases it may be strings that one on one point to a known attack on a service (SQL injection) or application (AWStats exploit), in other cases it may be something issued by Snort itself (ICMP: traceroute) and in other cases it may be packets that were mangled in flight. So you will need a basic understanding of how IP suite protocols work and how systems may respond (or not): see The TCP/IP Guide
for starters. As for tools there's a lot that can be viewed by running packet captures through Wireshark and looking at payloads(*