An alchemists view from the bar

Network Security Alchemy


with 44 comments

Yes the name is new, and the code is updated.

Mike Guiterman persuaded me to take part in a Snort Users webex “Pimp My Snort”, this gave me a great excuse to update and document my old snort / google earth mash-up. I am now happy to present “SnoGE” (pronounced snoog-ie). An archive of the presentation is now available on

Automated display of Snort IPS events

Automated display of Snort IPS events


  • Plots Snort IPS events onto Google Earth
  • Supports Unified alert files (snort’s recommended output format)
  • Auto-update KML file with new events
  • Optional auto-refresh Google Earth do display latest attacks
  • Highlight latest event on the map
  • Represent top locations in the form of a bar (blue = city, green = country)
  • Track location statistics along with attacks
  • Multi-user capable
  • Optional banner for custom branding
  • Cool Eye-candy

They say a picture is worth a thousand words, so take a look at the image.

Snoge is now hosted and available on Google Code, head over here to download the latest release.

For help with SnoGE, and if you run into issues please go to

Snoge is a Snort unified reporting tool, it processes your unified files (that’s Snort’s output format), and represents them as place-marks on Google Earth. It can operate in a few modes, Real-time, refresh, and one-time.


As you may have guessed, SnoGE relies on quite a few external components, to get the system functioning you will need the following

  • A Linux system (I’ve used Debian stable while developing, although it should work on other distributions)
  • SnortUnified (perl module)
  • Geo::IP::PurePerl (perl module)
  • NetPacket::Ethernet (perl module)
  • The Maxmind geoip database
  • A Websever (for the auto update features)

1) Grab and extract the SnoGE tarball

Download here

2) Grab and install build / run requirements

lward@webexprep:~$ mkdir Build
lward@webexprep:~$ cd Build/
lward@webexprep:~/Build$ wget
lward@webexprep:~/Build$ tar -zxvf ./SnortUnified_Perl.20070927.tgz
lward@webexprep:~/Build$ cd snort-unified-perl/
lward@webexprep:~/Build/snort-unified-perl$ sudo cp /usr/local/lib/perl/5.10.0
lward@webexprep:~/Build/snort-unified-perl$ cd
lward@webexprep:~$ sudo cpan “NetPacket::Ethernet”
lward@webexprep:~$ sudo cpan “Geo::IP::PurePerl”
lward@webexprep:~$ wget
lward@webexprep:~$ gunzip ./GeoLiteCity.dat.gz
lward@webexprep:~$ sudo mkdir /usr/local/share/GeoIP
lward@webexprep:~$ sudo cp GeoLiteCity.dat /usr/local/share/GeoIP/
lward@webexprep:~$ sudo apt-get install apache2

3) Grab your unified Log files

If you have Snort already running on this system, you will likely find them in /var/log/snort/. Showing you how to get Snort working is far beyond the scope of this document.


SnoGE’s configuration lives in a single config file, by default it’s called snoge.conf and it should only need some minor tweaks for your environment.


Google Earth reads KML files, therefore this is the output format of SnoGE. Opening a KML file will lead to its contents being plotted on your map. In my example above, I have a directory called “snoge” under /var/www. The user that runs the snoge on my system (lward) has write access to this location.

lward@webexprep:~/snoge$ sudo mkdir /var/www/snoge
lward@webexprep:~/snoge$ sudo chown lward /var/www/snoge/


This base filename for your Unified alert files is set in your snort.conf. I, like most others, use the default snort.alert.


When run in auto-refresh mode, where can the updates be download from. The IP of my device is, and the directory I made earlier was called snoge


lward@webexprep:~/snoge$ ./snoge

I need a config file. Take a look at usage

* Snort unified -> Google Earth 1.5 No warranties are provided or are inferred to the accuracy or reliability of this code.
Use at your own risk.

-c or –config Specify config file
-v or –verbose Enable verbose mode
-o or –onetime One time run with a single unified file.
-r or –refresh Create a “server” KML file for automated updates

For our first try, lets do a simple one-time run through a unified alert file. I have one called /var/log/snort/snort.alert.1240856559

lward@webexprep:~/snoge$ ./snoge -c snoge.conf –onetime /var/log/snort/snort.alert.1240856559
Doing a single run
lward@webexprep:~/snoge$ ls /var/www/snoge/snoge.kml -l
-rw-r–r– 1 lward lward 61685 2009-07-20 09:56 /var/www/snoge/snoge.kml

I now have a KML file to open in Google Earth. Because it’s being written to a location published by Apache, I can access it over the Internet from my OSX laptop. By typing in the URL

SnoGE plotting some events

SnoGE plotting some events” into Firefox, Google Earth opens up the KML as expected. A screenshot of mine is on the right there –>.

Because this was a one-time run through, this file will never change. If you like the idea of keeping this file up to date with “current” events, we need to track what events have been plotted and keep looking for more events. Assuming you have configured the basefilename correctly, running snoge without the –onetime flag will keep the file up to date.

Verbose mode will inundate you with information for debugging, but in general snoge is a quiet beast.

lward@webexprep:~/snoge$ ./snoge -c snoge.conf

Every time you RE-OPEN the KML file, it will be up to date. Note that re-open is a key word here, if you want the system to auto-update itself you need to enable refresh mode.

Refresh mode uses a second KML file, and is simple to use. Firstly create your server KML file

lward@webexprep:~/snoge$ ./snoge -r /var/www/snoge/server.kml -c snoge.conf
Creating a server KML to serve event updates
Filename: /var/www/snoge/server.kml
Update interval: 10
Banner: snort-ge-banner.png

Then, run snoge as before

lward@webexprep:~/snoge$ ./snoge -c snoge.conf

Rather than access the snoge.kml file from your google earth client, access the server.kml file instead.

Written by leonward

July 24, 2009 at 2:52 pm

44 Responses

Subscribe to comments with RSS.

  1. Hi Leon,
    I saw this on the SNORT webinar on the 24th. I am receiving an error. See info below:
    This is a centos 5.3 with Perl 5.8.8.

    [SNORT bin]# snoge -c /etc/snoge.conf
    Died at /usr/local/bin/snoge line 910.

    Here is my snoge.conf

    Here is a listing of my /var/log/snort
    [root@HQSNORT snort]# snoge snoge -c /etc/snoge.conf
    Died at /usr/local/bin/snoge line 910.
    [root@HQSNORT snort]# ls -la /var/log/snort
    total 86748
    drwxr-xr-x 2 snort snort 4096 Jul 31 13:43 .
    drwxr-xr-x 16 root root 4096 Jul 31 04:05 ..
    -rw-r–r– 1 root root 2056 Jul 30 14:26 barnyard.waldo
    -rw-r–r– 1 root root 0 Jul 30 12:00 snort.log
    -rw-r–r– 1 root root 1471757 Jul 30 13:33 snort.log.1248972337
    -rw-r–r– 1 root root 0 Jul 30 13:48 snort.log.1248976109
    -rw-r–r– 1 root root 87242382 Jul 31 06:14 snort.log.1248978071
    -rw-r–r– 1 root root 0 Jul 31 08:39 snort.log.1249043978

    Any thoughts
    Thank you for your help

    Dana Burrows

    July 31, 2009 at 5:55 pm

  2. Hi Dana.

    Snoge is failing to do two things for you.
    1) Open up the latest unified log file to process
    2) Nicely report *why* it is failing to open up the unified file.

    Run Snoge in verbose mode(-v) and email me the output.



    August 4, 2009 at 4:33 pm

  3. Is this supposed to open in Google Earth, or be embedded in the browser? Thanks

    T Dub

    August 7, 2009 at 4:45 pm

    • It will open in your local copy of Google Earth.


      August 17, 2009 at 1:10 pm

  4. […] SnoGE – Snoge is a Snort unified reporting tool, it processes your unified files (that’s Snort’s output […]

  5. I’m sure this is something simple…but how do I get Google Earth to recognize a kml file from a link?

    It publishes to Apache the kml file. However, Google Earth’s browser function, IE, and Firefox all display a screen of XML instead of actually processing it.


    November 5, 2009 at 12:21 am

    • What OS and browser are you using? What’s the suffix of your KML file set to?


      November 6, 2009 at 11:55 am

      • Windows XP. As above…both IE 8 and Firefox 3 won’t open the kml in Google Earth. I also tried an XP laptop with Firefox with the same result. Both systems have Google Earth installed. The kml is registered to Google earth in the OS…so if I could download it instead of it displaying as XML it would load in Google Earth just like a local kml does…I checked the file types in Firefox and kml isn’t even defined so in theory it should ask me what to do but just displays it as xml code instead of loading up or asking to download.


        November 7, 2009 at 1:53 am

  6. Does SnoGE work with unified2 alerts or just unified?


    November 14, 2009 at 5:11 am

  7. Hi, This is really a cool plugin, but does it work with the new unified files ? (unified2) ? It will be really cool if it does.


    February 4, 2010 at 8:58 pm

    • Not tested it. It the underlying snort-unified-perl library supports it might “just work”.
      Try it out and let me know how/if it breaks.



      February 4, 2010 at 9:30 pm

      • UPDATED: Yes, SnoGE now works with unified2


        May 25, 2010 at 2:13 pm

  8. Hello
    i am trying to install under CentOs 5.3 after doing all instaruction getting this error (below) , i have download and installed also load module but still error
    any idea please advice
    Can’t locate Module/ in @INC (@INC contains: .. /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 . ..) at ./snoge line 35.
    BEGIN failed–compilation aborted at ./snoge line 35.
    [root@gfn-ids snoge]#


    February 26, 2010 at 8:00 pm

    • As you pointed out already, it’s unable to find Module::Load. Something must have gone wrong with your install of that module. If you’re new to Perl, take a look at cpan.


      February 26, 2010 at 9:17 pm

      • Thanks
        In first place i didnt instal the right load module it have to be Module-Load-0.16 moudle



        February 27, 2010 at 8:02 am

  9. […] leave a comment » The below tool and information has been superceded by Snoge.  More info about Snoge is available at here. […]

    • hi leonward,what is the use of locating the attackers on the G Earth…. what kind of application can be developed using snoge


      March 9, 2010 at 6:10 pm

      • SnoGE is a data visualization tool. It provides a qualitative view of where the event sources are.


        March 14, 2010 at 11:13 am

  10. Hello,

    I installed snoge and was able to run it on the example.csv, but when I try to run it on a unified file it returns the error :

    Unified mode * Importing functions:
    “meta_handlers” is not defined in %SnortUnified::EXPORT_TAGS at ./snoge line 305
    Can’t continue after import errors at ./snoge line 305

    Any idea on this one? I ran the verbose mode and it did not turn up anything of note. The only change I made to the snoge.conf file was uncommenting the unified mode and commenting the csv mode. Here is my setup:

    Ubuntu 8.04

    I placed the SnortUnified_Perl files in /usr/local/lib/perl/5.8.8/SnortUnified/

    I might try the older version of SnortUnified_Perl…


    March 16, 2010 at 7:15 pm

    • The Jason has released an updated version of snort-unified-perl. The version of SnoGE in svn works with this version, and also works with unified2 files. I see that you have already tried with SnortUnified_Perl.20070927 with success.

      If you get a chance, please take a look at the version in SVN, if it works for others ill roll it into a new version tarball.



      March 18, 2010 at 10:48 am

  11. UPDATE: Using the SnortUnified_Perl.20070927 version worked…


    March 16, 2010 at 7:28 pm

  12. Hello

    i have installed it and tried to run it at first time with command line as follow “./snoge -c snoge.conf -v -m unified -o /var/log/snort/snort.log.1269509132”

    I get following error below
    Please advice

    Config: Input mode is unified
    CONFIG: Creating output file ./snoge.kml
    CONFIG: Adding a sensor for location
    CONFIG: Adding a sensor for location
    CONFIG: Base filename is /var/log/snort/alert.ids
    CONFIG: Classification.confg set to /etc/snort/classification.config
    CONFIG: Ignoring SID 1421
    CONFIG: Ignoring SID 1000000001
    CONFIG: Ignoring SID 13948
    CONFIG: Ignoring SID 12801
    CONFIG: Images expected at
    CONFIG: Using snorty.gif as the event icon
    CONFIG: Using warning.png as the event icon
    CONFIG: Using waldo file /dev/null
    Config: Sid-msg file is /etc/snort/
    CONFIG: gen-msg file is /etc/snort/
    CONFIG: Ignoring source ip
    CONFIG: Maximum number of placemarks set to 50 events
    CONFIG: Updateinterval set to 0 events
    CONFIG: Maximum number of events to track in bars set to 4000
    CONFIG: Default locarion set to
    – Default Latitude set to 53.9667
    – Default Longitude set to -1.08330000000001
    – Defailt City – > York United Kingdom
    CONFIG: Default latitude for unknown location set to 53.9667
    CONFIG: Update URL is http://x.x.x.119/snoge/snoge.kml for serverKML
    CONFIG: Banner is snort-ge-banner.png in serverKML
    CONFIG: Refreshing every 5
    CONFIG: Defense Center IP is x.x.x.119
    CONFIG: Defense Center Port is 8302
    CONFIG: Defense Center SSL Cert is /home/lward/certfile.txt
    Unified mode * Importing functions:
    – Adding sensor in York, United Kingdom
    – Adding sensor in Columbia, United States
    – Now processing unified file(s)…..
    Working on single file /var/log/snort/snort.log.1269509132
    unable to open /var/log/snort/snort.log.1269509132 at ./snoge line 1211.


    March 27, 2010 at 2:14 pm

    • Maybe file permissions.

      $ whoami
      $ ls -l /var/log/snort/snort.log.1269509132
      $ file /var/log/snort/snort.log.1269509132

      Rather than track support issues here, please add to



      March 29, 2010 at 1:57 pm

  13. Hello
    Works Ubuntu 9.10

    as using the output barnyard2 unified2, read above that SnortUnified_Perl.20070927 not support the conclusion unified2. Staged SnortUnified_Perl.20100308.

    Run Snoge:. / Snoge -c snoge.conf -onetime (or -o) / var/log/snort/snort.u2.1269520880

    Output error:
    Can’t locate SnortUnified / in @ INC (@ INC contains: .. / etc / perl / usr/local/lib/perl/5.10.0 / usr/local/share/perl/5.10.0 / usr / lib/perl5 / usr/share/perl5 / usr/lib/perl/5.10 / usr/share/perl/5.10 / usr / local / lib / site_perl. ..) at / usr/local/lib/perl/5.10.0 / line 58.
    BEGIN failed – compilation aborted at / usr/local/lib/perl/5.10.0/ line 58.
    Compilation failed in require at. / Snoge line 36.
    BEGIN failed – compilation aborted at. / Snoge line 36.

    I tried verbose mode but it has not delivered.

    Here are my pieces of executable and configuration files:

    executable file:

    use strict;
    use warnings;
    use Sys:: Hostname;
    use Data:: Dumper;
    use Socket;
    use Geo:: IP:: PurePerl;
    use Module:: Load;
    use SnortUnified qw (: DEFAULT: meta_handlers);

    my $ configFile = 0;
    my $ UF_Data = ();
    my $ record = ();

    configuration file:

    mode = “unified”
    # Mode = “estreamer”
    # Mode = “csv”

    # Tested with unified 1 “Alert” output
    # Kmlfile: Location of the output kml created by processing unified logs. This is not the location of the server file, take a look at the command line arguments to set that.
    kmlfile = “/ var / www / snoge / snoge.kml”

    # Sensors: A space separated list of “locations” where a sensor is to be placed on the map. Location is specified by IP address, the geoip DB will map this to somewhere in the world.
    sensors = “”

    # Basefilename: The name of the unified alert file that is to be processed. Unified files have a epoch timestamp appended to them, don’t specify that timestamp, the code will work it out. If you do want to process a specific file, take a look at the command line “-o” argument.
    basefilename = “/ var/log/snort/snort.u2”

    How to solve the problem?

    Thank you.


    March 30, 2010 at 2:13 pm

    • Snoge 1.7 does not work with SnortUnified_Perl.20100308 (required for unified2 log support.
      SnoGE 1.8 does indeed use SnortUnified_Perl.20100308 and supports unified2 files.

      Let me know if it works for you.


      March 31, 2010 at 9:54 am

      • Updated to Snoge-1.8, nothing happens
        Writes an error:
        – Cant find default location for “”!
        Unknown mode. at. / snoge line 263, line 92.

        tried to run in csv mode with option -m csv –onefile example.csv and unified mode. In both cases, the error one.


        April 5, 2010 at 10:08 am

  14. Purgen, I broke some stuff in 1.8. Apologies.
    Checkout the latest code from SVN and it should work for you.

    Note that the -m argument is deprecated.

    lward@lenny:~/code/snoge$ ./snoge -c csv-example.conf -o example.csv
    CSV File mode (processing example.csv)
    Processing CSV file example.csv…
    KML file ./snoge.kml created.

    To do a svn checkout, the following should work.
    svn checkout snoge-read-only

    If you find any other problems, please raise an issue here ->

    Thank you.


    April 5, 2010 at 12:02 pm

  15. I had the same problem

    “- Cant find default location for “”!
    Unknown mode. at. / snoge line 263, line 92.”

    updated from svn and now get this

    root@snort:/usr/local/snoge-1.8.1# ./snoge -v -c snoge.conf -o /var/log/snort/snort.u2.1270543251 CONFIG: Input mode is : “unified”
    CONFIG: sid-msg file is : /usr/local/snort/etc/
    CONFIG: gen-msg file is : /usr/local/snort/etc/
    CONFIG: Base filename is : /var/log/snort/snort.u2
    CONFIG: Ignoring Source :
    CONFIG: Ignoring Destination :
    CONFIG: Ignoring SIDs : 1421 1000000001 13948 12801
    CONFIG: Updateinterval : 0 events
    CONFIG: Maxplacemarks : 50
    CONFIG: Maximum Statistics : 4000
    CONFIG: Default location :
    CONFIG: KMLOutputfile : /var/www/snoge/snoge.kml
    CONFIG: Server Refresh : 5
    CONFIG: waldo : /dev/null
    CONFIG: Event Icon : warning.png
    CONFIG: Sensor Icon : snorty.gif
    CONFIG: Banner : snort-ge-banner.png
    CONFIG: UpdateURL :
    CONFIG: Defense Center :
    CONFIG: Estreamer Port : 8302
    CONFIG: Certfile : ./certfile.txt
    CONFIG: Sensors :
    CONFIG: Image URL :
    CONFIG: classification file : /usr/local/snort/etc/classification.config
    – Default Latitude set to 53.9667
    – Default Longitude set to -1.08330000000001
    – Defailt City – > York United Kingdom
    Unknown mode. at ./snoge line 260, line 77.


    April 6, 2010 at 2:31 pm

    • The config file format has changed a little in 1.8 (note the lack of “””). The file snoge.conf should no longer be in the release or in the repository, it was updated to become example-unified.conf.
      Please post future problems on the googlecode page, it’s a nightmare tracking them to resolution in blog comments.



      April 6, 2010 at 2:43 pm

  16. […] a basic Snort installation and added Base and Barnyard. Base is not very fun to look at so we added Snoge, which is a way to output the originating location of network attacks to Google Earth. As you can […]

  17. Hello,

    Please help with error below.
    Works Ubuntu 10.10

    I am getting this problem with unified, i have tested with csv and it works fine.

    infos@IDS:~/Build/snoge$ ./snoge -c unified-example.conf –onefile /var/log/snort/snort.log.1304505368 -w /var/www/snoge/snoge.kml
    – Unified mode * Importing functions:
    Can’t locate SnortUnified/ in @INC (@INC contains: .. /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl . ..) at ./snoge line 214, line 97.


    May 10, 2011 at 9:04 am

  18. Hello,
    I’m using Ubuntu 10.10

    When I tried to run this;
    saat@saat:~/Desktop/snoge-1.8$ perl snoge -c snoge.conf –onefile example.csv -m csv -w /var/www/snoge/snoge.kml

    The it show this;
    Error opening /usr/local/share/GeoIP/GeoLiteCity.dat at /usr/local/share/perl/5.10.1/Geo/IP/ line 183

    how can I solve this problem?


    March 15, 2012 at 8:13 am

    • You need to download the geo ip database. Its covered in the installation docs. I suggest you take a look there.


      March 15, 2012 at 12:39 pm

  19. and also if I run this;
    saat@saat:~/Desktop/snoge-1.8$ perl snoge -c snoge.conf -o /var/log/snort/snort.log.1331570196

    it will show this;
    Unknown mode. at snoge line 263, line 92.

    anybody can help?


    March 15, 2012 at 10:13 am

    • What is relevant line in your snoge.conf?


      March 15, 2012 at 12:35 pm

      • everything is like original file.
        I just edit this part:

        #defaultlocation=”” <– (only comment this line)

        at line 92, the is only empty space after certfile line.

        # Location for SSL certificate
        (here is line 92)


        March 18, 2012 at 4:29 pm

      • Yeah I know what that is.
        The format of the config file changed a long time ago and no longer requires “”. In fact it doesn’t handle them well. I can only assume you’ve managed to mix an old example.conf with a more recent version of snoge.

        Included in the tarball are examples for CSV, unified, and also estreamer.

        [12:03:45]lward@largo~/code/snoge$ head -n 20 csv-example.conf
        # Snoge config file for plotting events onto google earth

        # See the README.config for details of all configuration elements.
        # CSV Example config file



        March 20, 2012 at 12:04 pm

  20. ah. my bad.
    I did not read the instruction and the comment over here
    silly of me.

    after I remove the quote (“”),
    everything is working fine.
    thanks leonward! 🙂

    another things is,
    how I want to make this script run automatically if there is new threat detected?


    March 20, 2012 at 12:35 pm

    • You need to use a parent/server KML file (I use the term interchangeably). Take a look at the install doc and the –parent switch, the server section of the unified-example.conf and the install wiki doc.



      March 20, 2012 at 2:13 pm

  21. Greetings!

    Awesome idea!

    You should share some live cd version.



    January 21, 2013 at 8:12 am

  22. […] as importantly, you can use Snort with various tools such as OfficeCat, Squil, SnoGE, and others developed by the Snort community for real time network analysis and incident response. […]

  23. HI leonward,

    I got everything run perfect except that I cannot change the default location to be from my country. How can I do that? I even added the latitude and longitude of my location but still it shows the default location. The other thing is it shows on Google earth “placemark RULE MESSAGE UNKNOWN – UnknownCity, UnknownCountry”


    April 29, 2013 at 5:50 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: