[Snort-users] snort on OSSIM

Crook, Parker Parker_Crook at ...14786...
Tue Mar 16 16:32:53 EDT 2010


Exactly, OSSIM will start an instance of Snort for each interface you feed to OSSIM.  I in no way wanted to lead people to believe that you can run snort -I eth1,eth2,eth3...ethX and go to town, because that would be wrong.

Thanks for clearing that up.
-Parker

-----Original Message-----
From: Joel Esler [mailto:jesler at ...1935...]
Sent: Tuesday, March 16, 2010 4:30 PM
To: Crook, Parker
Cc: Kaushal Shriyan; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort on OSSIM

Okay, so OSSIM will start two instances of Snort, one for each interface?  Is that what you are saying?

The reason I am asking is because I don't want people reading the list thinking "oh, I can just run (non-OSSIM) Snort with -i eth1,eth2 and it'll work!"

J

On Mar 16, 2010, at 4:16 PM, Crook, Parker wrote:

> Joel,
>
> You are correct in that I made an error (no commas), it should look like:
>
> DEBIAN_SNORT_INTERFACE="eth1 eth2"
>
> Then you have to run ossim-reconfig, and ossim will run two instances of Snort (on OSSIM 2.1 this would create two binaries, snort_eth1 and snort_eth2, but I have not tested on OSSIM 2.2).  I posted up my findings on this thread a while back:  https://www.alienvault.com/forum/index.php?t=msg&goto=5566&S=b8d60b94e6c1d460ebf808dfc78343a5#msg_5566
>
> -Parker
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Tuesday, March 16, 2010 4:01 PM
> To: Crook, Parker
> Cc: Kaushal Shriyan; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort on OSSIM
>
> Have you tested to make sure that Snort is listening on all three interfaces that you describe below?  Or does Snort only accept the first one in this list?
>
> I don't think you can do that "eth1,eth2,eth3" specification, I've never tested it, and have no way to do it right now...
>
> J
>
> On Mar 16, 2010, at 2:41 PM, Crook, Parker wrote:
>
>> Kaushal,
>>
>> Ray is correct - I was using Snort on OSSIM for a quite a while and the snort files are located in /etc/snort.  As far as tuning snort, you would still need to define your variables in the snort.ethX.conf file, where ethX is the configuration file Snort will use for the respective interface.
>>
>> As far as configuring goes, there is a snort.debian.conf file that you can use to set some of your options (example contents below):
>>
>> #this sets $HOME_NET in command-line call - leave empty if $HOME_NET is set #in you config file, else, define here.
>> DEBIAN_SNORT_HOME_NET="192.168.0.0/16,1.2.3.0/24"
>> #listen on eth1, eth2, and eth3 - starts multiple instances of snort, using #their respective config files
>> DEBIAN_SNORT_INTERFACE="eth1,eth2,eth3"
>> #use Berkley Packet Filter file
>> DEBIAN_SNORT_OPTIONS="-F bpf.filt"
>> DEBIAN_SNORT_SEND_STATS="true"
>> DEBIAN_SNORT_STARTUP="boot"
>> DEBIAN_SNORT_STATS_RCPT="root"
>> DEBIAN_SNORT_STATS_THRESHOLD="1"
>>
>> Now, stepping outside of talking about Snort, if you are using OSSIM in all-in-one mode, then your output module for Snort should already be configured and logging to your database out of the box (otherwise you will need to setup the sensor->server communication channel in the OSSIM configs).  You can view alerts from Snort on the webpage under Events->Alerts I believe...
>>
>> Hope this helps,
>> Parker Crook
>>
>> -----Original Message-----
>> From: Ray Caparros [mailto:arcy24 at ...11827...]
>> Sent: Tuesday, March 16, 2010 12:19 PM
>> To: Kaushal Shriyan
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] snort on OSSIM
>>
>> Kaushal,
>>
>> I believe the snort instance in OSSIM is located at /etc/snort.
>> Here's the link on their forum https://www.alienvault.com/forum/
>>
>> -Ray
>>
>> On Tue, Mar 16, 2010 at 11:29 AM, Kaushal Shriyan
>> <kaushalshriyan at ...11827...> wrote:
>>> Hi
>>>
>>> I am newbie to snort. On what parameters or basis do i need to
>>> configure ruleset in snort. I am using snort under OSSIM Application.
>>>
>>> Please suggest/guide.
>>>
>>> Thanks and Regards,
>>>
>>> Kaushal
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
>
>
>
>
>
>
>

--
Joel Esler











More information about the Snort-users mailing list