Pfsense & snort log to central Security Onion
tbaror
I have few Pfsense firewalls installed with snort package act as ips across Europe,Us, Middle-east i would like them to log both snort alert and firewall events centrally to Security Onion preferably all data log into Squert/sguil , what would be the best way , is it possible trough either Barnyard2 or Syslog ?
Please advice
Thanks
BBCan177
tbaror
> https://groups.google.com/forum/#!searchin/security-onion/pfsense$20$26$20ELSA/security-onion/czJNBWJ3sIw/GKGVFSZfEUQJ
Thanks for the replay ,one more question , send logs into Elsa would make events will appear in Squert?
thanks
Doug Burks
To get Snort logs into Squert, you'd have to get them into the Sguil
database using the snort_agent.
We don't recommend or support running Snort on pfSense. It's better
to let your firewall be a firewall, and let Security Onion do the
IDS/NSM work.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
tbaror
Hi Doug,
You might be right but current situation doesn't allow me to add further machines as pure sensor,
Our firewalls doing there job as IPS very well ,but again i need to be alerted ,and have kind of global security "awareness" status.
For my opinion any SEIM system should have the possibility , consolidate security data from almost any device(like OSSIM), Security Onion is great and promising , and we are are really like to adopt it for our organization.
But i would prefer that all data has a share data source, the reason i am insisting on Sguil would be because in this system we have the possibility for alerting policy mechanism ,and its giving much more brain than Snorby does.
Thanks
Doug Burks
--
Doug Burks
BBCan177
I hope you stick with Security Onion.
You have to start to look beyond just alerting and start to understand that IDS (Detection) is crucial. If you have some time please read this article.
http://dcid.me/notes/2013-jul-08
> But i would prefer that all data has a share data source, the reason i am insisting on Sguil would be because in this system we have the possibility for alerting policy mechanism ,and its giving much more brain than Snorby does.
If you do manage to get the data into SGUIL you wont be able to do much with the information as pfSense Snort would not send the full packet capture to SGUIL.
So sending it into ELSA is the best option.
If someone writes some code for pfSense Snort that sends the FPC than sending it to SGUIL would provide some further benefit.
In regards to Notifications (emails etc) for ELSA, I haven't tried but I believe that this is possible.
tbaror
Thanks for the article , i am using many years IDS helping protect our organization starting with BASE and many more, and i can say for sure IDS helped us many times like article case description,
Now as for Security Onion we used to use it (as stand alone)and then switched to OSSIM , and now we mounted a new system to replace current old server,the new that already installed with Security Onion ,now we in the process of relearning it all over again and assess our possibility with it , I love it the and the idea behind but i need to make the switch if possible and try to adapt it to our current infrastructure.
As for Elsa its looks good , i have to check and decide.
BTW since Barnyard2 ver 2.13.1 its support logging to local Sguil agent, i posted question Barnyard group they might implement soon option to log remote sguil agent.
Thanks all