[Snort-users] Send snort alerts via syslog to ArcSight

Pablo Atiaga pablo.atiaga at ...15848...
Mon Oct 1 16:30:37 EDT 2012

Thanks for your answer.

Barnyard is sending all the parameters, the problem is that ArcSight 
don't recognize it as Snort Events. I mean the problem is the following:

  * Vía Snort i can't send any event via syslog. I do the folowing steps:
      o Locate and open the main Snort configuration file to edit:
      o Locate the # syslog section.
      o In the following line, replace <hostipaddress> with your own
        host IP address:
        output alert_syslog: host=<hostipaddress>:514, LOG_AUTH LOG_ALERT
        where <hostipaddress> is the IP address of your syslog host.
      o Start Snort with the -s option; for example:
        C:\Snort>bin\snort -c etc\snort.conf -s

  * On the other hand I try send events using barynard succesfully but
    the format of the events is not recognized by ArcSight. The format
    send from barnyard is as follows:
      o Sep 25 16:59:09 [1:2003195:5] ET POLICY Unusual
        number of DNS No Such Name Responses [Classification:
        Potentially Bad Traffic] [Priority: 2]: {UDP} ->



El 27/09/2012 15:54, beenph escribió:
> On Thu, Sep 27, 2012 at 4:36 PM, Pablo Atiaga
> <pablo.atiaga at ...15848...>  wrote:
>> Hi everyone.
>> I need to send snort alert to ArcSight via syslog, i found a
>> configuration just changing one line in the snort.conf but it doesn't
>> work. I already try sending events with other application and with
>> barnyard and work, but i need to send from snort directly because that's
>> the only way to send all the parameters correctly. I'm using snort
> All parameters?
> I am interested to see which parameters are missing in barnyard2
> v2-1.10 syslog_full output module?
> -elz
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!

Pablo Alberto Atiaga Galeas
IT Security Specialist
skype: pablo_ati_g

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121001/0c4ad36c/attachment.html>

More information about the Snort-users mailing list