[Snort-users] Send snort alerts via syslog to ArcSight

Joel Esler jesler at ...1935...
Mon Oct 1 17:05:55 EDT 2012


I believe (and that means I'm probably totally wrong about this), but I believe barnyard's syslog format differs slightly from the built in Snort format.  

Someone correct me if I wrong on that?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Oct 1, 2012, at 4:30 PM, Pablo Atiaga <pablo.atiaga at ...15848...> wrote:

> Thanks for your answer.
> 
> Barnyard is sending all the parameters, the problem is that ArcSight don't recognize it as Snort Events. I mean the problem is the following:
> 
> Vía Snort i can't send any event via syslog. I do the folowing steps:
> Locate and open the main Snort configuration file to edit:
> <Snort_home>/etc/snort.conf
> Locate the # syslog section.
> In the following line, replace <hostipaddress> with your own host IP address:
> output alert_syslog: host=<hostipaddress>:514, LOG_AUTH LOG_ALERT
> where <hostipaddress> is the IP address of your syslog host.
> Start Snort with the -s option; for example:
> C:\Snort>bin\snort -c etc\snort.conf -s
> On the other hand I try send events using barynard succesfully but the format of the events is not recognized by ArcSight. The format send from barnyard is as follows:
> Sep 25 16:59:09 130.2.17.46 [1:2003195:5] ET POLICY Unusual number of DNS No Such Name Responses [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 130.2.18.110:53 -> 130.10.0.64:48640 
> Thanks.
> Regards
> 
> El 27/09/2012 15:54, beenph escribió:
>> On Thu, Sep 27, 2012 at 4:36 PM, Pablo Atiaga
>> <pablo.atiaga at ...15848...> wrote:
>>> Hi everyone.
>>> 
>>> I need to send snort alert to ArcSight via syslog, i found a
>>> configuration just changing one line in the snort.conf but it doesn't
>>> work. I already try sending events with other application and with
>>> barnyard and work, but i need to send from snort directly because that's
>>> the only way to send all the parameters correctly. I'm using snort 2.9.3.1.
>> All parameters?
>> I am interested to see which parameters are missing in barnyard2
>> v2-1.10 syslog_full output module?
>> 
>> -elz
>> 
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://ad.doubleclick.net/clk;258768047;13503038;j?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
> 
> 
> -- 
> Pablo Alberto Atiaga Galeas
> IT Security Specialist
> EGOVERMENT SOLUTIONS S.A.
> +593-93343553
> +593-92709534
> skype: pablo_ati_g
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121001/bb3dbb50/attachment.html>


More information about the Snort-users mailing list