[Snort-users] How to best do DB *and* syslog logging?

Dustin Webber dustin.webber at ...11827...
Wed Nov 30 15:22:43 EST 2011


All,

Snorby is great for unified2 data which means it supports Sagan (http://sagan.softwink.com/).

In short Sagan allows you to write host based rules. Here is a screenshot of Snorby using Sagan http://cl.ly/0m3G381F232A2t2y0t0L (taken from demo.snorby.org)

Snorby does support unified2 extra data so you can get URLS from that however it would also be trivial to write a snorby-agent for this.

Example.

class Httpry < Snorby::Agent::FilePlugin # or whatever you wanted to insert data for/from

  # This will handle everything for you.. tracking the IO read position, sending to snorby-collect
  # validating the data - running custom categorization logic.. a lot of stuff.

  watch_file 'path/to/httpry/log'

  def process(data)
    Event.create(data.to_schema)
  end

end

Done.. you can write plugins for whatever you want.. it's fully evented, binary protocol, SSL encrypted with cert based auth. (oh, and snorby-agent will support auto-discovery)
Snorby collect and Snorby agent will be done soon and I plan to release it with up to 12 plugins..

P.S ELSA looks great Martin - i'm going to try that out this weekend.

- Dustin

On Nov 30, 2011, at 2:32 PM, Martin Holste wrote:

> It's tough to beat Snorby for just Snort data, but if you'd also like
> your console to contain URL data and router/server logs, and since
> you're already doing syslog, you may want to check out my ELSA
> project: http://code.google.com/p/enterprise-log-search-and-archive/ .
> 
> On Wed, Nov 30, 2011 at 1:03 PM, beenph <beenph at ...11827...> wrote:
>> On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 at ...14542....> wrote:
>>> Right now, I'm logging my snort alerts back to a syslog server but I'd
>>> like to start playing with Snorby.  Please correct me if I'm wrong but
>>> I think the ideal way to do this would be to log via unified2 and use
>>> barnyard to send the alert data to snorby's DB but I can't lose my
>>> syslog functionality.  I really wish barnyard was able to do this on
>>> non-Windows boxes!  But what would be the best way to achieve this
>>> short of running two separate snort instances?
>>> 
>> If you need local syslog and forward them, barnyard2 currently support
>> this on windows and non windows system.
>> 
>> If you need remote syslog logging
>> 
>> You can access the feature in its current branch branch via
>> 
>> https://github.com/binf/barnyard2/tree/RemoteSyslogFix
>> 
>> Also
>> If you look in the provided barnyard2.conf you can see output plugin
>> conf example.
>> 
>> Note that it use a slightly different logging message format from the
>> default snort format,
>> but you have the possibility to configure field delimiters and
>> separators from the config file.
>> 
>> Configuration example for remote syslog
>> # alert_syslog
>> # ----------------------------------------------------------------------------
>> #
>> # Purpose:
>> # This output module provides the abilty to output alert information
>> to local syslog
>> #
>> # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
>> # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
>> #
>> # Examples:
>> # output alert_syslog
>> # output alert_syslog: LOG_AUTH LOG_INFO
>> #
>> # syslog_full
>> #-------------------------------
>> # Available as both a log and alert output plugin. Used to output data
>> via TCP/UDP
>> # Arguments:
>> # sensor_name $sensor_name - unique sensor name
>> # server $server - server the device will report to
>> # protocol $protocol - protocol device will report over (tcp/udp)
>> # port $port - destination port device will report to (default: 514)
>> # detail $detail_threshold - specify full/complete log reporting or
>> only summaries.
>> # delimiters - define a character that will delimit message sections
>> ex: "|", will use | as message section delimiters. (default: |)
>> # separators - define field separator included in each message ex: " "
>> , will use space as field separator. (default: [:space:])
>> # output alert_syslog_full: sensor_name snortIds1-eth2, server
>> xxx.xxx.xxx.xxx, protocol udp, port 514
>> # output log_syslog_full: sensor_name snortIds1-eth2, server
>> xxx.xxx.xxx.xxx, protocol udp, port 514
>> # output alert_syslog_full: sensor_name snortIds1-eth2, server
>> xxx.xxx.xxx.xxx, protocol tcp, port 514
>> # output log_syslog_full: sensor_name snortIds1-eth2, server
>> xxx.xxx.xxx.xxx, protocol tcp, port 514
>> 
>> If you have barnyard2 related question, your also welcome to send it
>> over the by2 ML's.
>> 
>> -elz
>> 
>> ------------------------------------------------------------------------------
>> All the data continuously generated in your IT infrastructure
>> contains a definitive record of customers, application performance,
>> security threats, fraudulent activity, and more. Splunk takes this
>> data and makes sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-novd2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
> 
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure 
> contains a definitive record of customers, application performance, 
> security threats, fraudulent activity, and more. Splunk takes this 
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111130/323d897c/attachment.html>


More information about the Snort-users mailing list