Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [Snort-users] Send snort alerts via syslog to ArcSight
87 views
Skip to first unread message
Pablo Atiaga
Oct 1, 2012, 4:30:37 PM10/1/12
to
Thanks for your answer.
Barnyard is sending all the parameters, the problem is that ArcSight don't recognize it as Snort Events. I mean the problem is the following:
El 27/09/2012 15:54, beenph escribió:
Barnyard is sending all the parameters, the problem is that ArcSight don't recognize it as Snort Events. I mean the problem is the following:
- Vía Snort i can't send any event via syslog. I do the folowing steps:
- Locate and open the main Snort configuration file to edit:
<Snort_home>/etc/snort.conf - Locate the # syslog section.
- In the following line, replace <hostipaddress> with
your own host IP address:
output alert_syslog: host=<hostipaddress>:514, LOG_AUTH LOG_ALERT
where <hostipaddress> is the IP address of your syslog host. - Start Snort with the -s option; for example:
C:\Snort>bin\snort -c etc\snort.conf -s
- On the other hand I try send events using barynard
succesfully but the format of the events is not recognized by
ArcSight. The format send from barnyard is as follows:
- Sep 25 16:59:09 130.2.17.46 [1:2003195:5] ET POLICY
Unusual number of DNS No Such Name Responses
[Classification: Potentially Bad Traffic] [Priority: 2]:
{UDP} 130.2.18.110:53 -> 130.10.0.64:48640
Thanks.
Regards
El 27/09/2012 15:54, beenph escribió:
On Thu, Sep 27, 2012 at 4:36 PM, Pablo Atiaga <pablo....@e-govsolutions.net> wrote:Hi everyone. I need to send snort alert to ArcSight via syslog, i found a configuration just changing one line in the snort.conf but it doesn't work. I already try sending events with other application and with barnyard and work, but i need to send from snort directly because that's the only way to send all the parameters correctly. I'm using snort 2.9.3.1.All parameters? I am interested to see which parameters are missing in barnyard2 v2-1.10 syslog_full output module? -elz ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-users mailing list Snort...@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Pablo Alberto Atiaga Galeas IT Security Specialist EGOVERMENT SOLUTIONS S.A. +593-93343553 +593-92709534 skype: pablo_ati_g
Joel Esler
Oct 1, 2012, 5:05:55 PM10/1/12
to
I believe (and that means I'm probably totally wrong about this), but I believe barnyard's syslog format differs slightly from the built in Snort format.
Someone correct me if I wrong on that?
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
beenph
Oct 1, 2012, 5:22:19 PM10/1/12
to
On Mon, Oct 1, 2012 at 5:05 PM, Joel Esler <jes...@sourcefire.com> wrote:
> I believe (and that means I'm probably totally wrong about this), but I
> believe barnyard's syslog format differs slightly from the built in Snort
> format.
>
> Someone correct me if I wrong on that?
@joel
> I believe (and that means I'm probably totally wrong about this), but I
> believe barnyard's syslog format differs slightly from the built in Snort
> format.
>
> Someone correct me if I wrong on that?
2-1.10 uses the same format if someone uses syslog_full output plugin.
@Pablo
download barnyard2 2-1.10
and configure the following output plugin:
# syslog_full
#-------------------------------
# Available as both a log and alert output plugin. Used to output data
via TCP/UDP or LOCAL ie(syslog())
# Arguments:
# sensor_name $sensor_name - unique sensor name
# server $server - server the device will report to
# local - if defined, ignore all remote information and use syslog()
to send message.
# protocol $protocol - protocol device will report over (tcp/udp)
# port $port - destination port device will report to (default: 514)
# delimiters $delimiters - define a character that will delimit
message sections ex: "|", will use | as message section delimiters.
(default: |)
# separators $separators - define field separator included in each
message ex: " " , will use space as field separator. (default:
[:space:])
# operation_mode $operaion_mode - default | complete : default mode is
compatible with default snort syslog message, complete prints more
information such as the raw packet (hexed)
# log_priority $log_priority - used by local option for syslog
priority call. (man syslog(3) for supported options) (default:
LOG_INFO)
# log_facility $log_facility - used by local option for syslog
facility call. (man syslog(3) for supported options) (default:
LOG_USER)
# Usage Examples:
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, local
# output log_syslog_full: sensor_name snortIds1-eth2, local,
log_priority LOG_CRIT,log_facility LOG_CRON
Just make sure that operation_mode is set to default and it should be
like snort syslog output.
-elz
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
0 new messages