[Snort-users] Send snort alerts via syslog to ArcSight

Pablo Atiaga pablo.atiaga at ...15848...
Mon Oct 1 16:30:37 EDT 2012


Thanks for your answer.

Barnyard is sending all the parameters, the problem is that ArcSight 
don't recognize it as Snort Events. I mean the problem is the following:

  * Vía Snort i can't send any event via syslog. I do the folowing steps:
      o Locate and open the main Snort configuration file to edit:
        <Snort_home>/etc/snort.conf
      o Locate the # syslog section.
      o In the following line, replace <hostipaddress> with your own
        host IP address:
        output alert_syslog: host=<hostipaddress>:514, LOG_AUTH LOG_ALERT
        where <hostipaddress> is the IP address of your syslog host.
      o Start Snort with the -s option; for example:
        C:\Snort>bin\snort -c etc\snort.conf -s

  * On the other hand I try send events using barynard succesfully but
    the format of the events is not recognized by ArcSight. The format
    send from barnyard is as follows:
      o Sep 25 16:59:09 130.2.17.46 [1:2003195:5] ET POLICY Unusual
        number of DNS No Such Name Responses [Classification:
        Potentially Bad Traffic] [Priority: 2]: {UDP} 130.2.18.110:53 ->
        130.10.0.64:48640

Thanks.

Regards


El 27/09/2012 15:54, beenph escribió:
> On Thu, Sep 27, 2012 at 4:36 PM, Pablo Atiaga
> <pablo.atiaga at ...15848...>  wrote:
>> Hi everyone.
>>
>> I need to send snort alert to ArcSight via syslog, i found a
>> configuration just changing one line in the snort.conf but it doesn't
>> work. I already try sending events with other application and with
>> barnyard and work, but i need to send from snort directly because that's
>> the only way to send all the parameters correctly. I'm using snort 2.9.3.1.
> All parameters?
> I am interested to see which parameters are missing in barnyard2
> v2-1.10 syslog_full output module?
>
> -elz
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>
>


-- 
Pablo Alberto Atiaga Galeas
IT Security Specialist
EGOVERMENT SOLUTIONS S.A.
+593-93343553
+593-92709534
skype: pablo_ati_g

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121001/0c4ad36c/attachment.html>


More information about the Snort-users mailing list