Snort mailing list archives
Re: How to best do DB *and* syslog logging?
From: Dustin Webber <dustin.webber () gmail com>
Date: Wed, 30 Nov 2011 15:22:43 -0500
All, Snorby is great for unified2 data which means it supports Sagan (http://sagan.softwink.com/). In short Sagan allows you to write host based rules. Here is a screenshot of Snorby using Sagan http://cl.ly/0m3G381F232A2t2y0t0L (taken from demo.snorby.org) Snorby does support unified2 extra data so you can get URLS from that however it would also be trivial to write a snorby-agent for this. Example. class Httpry < Snorby::Agent::FilePlugin # or whatever you wanted to insert data for/from # This will handle everything for you.. tracking the IO read position, sending to snorby-collect # validating the data - running custom categorization logic.. a lot of stuff. watch_file 'path/to/httpry/log' def process(data) Event.create(data.to_schema) end end Done.. you can write plugins for whatever you want.. it's fully evented, binary protocol, SSL encrypted with cert based auth. (oh, and snorby-agent will support auto-discovery) Snorby collect and Snorby agent will be done soon and I plan to release it with up to 12 plugins.. P.S ELSA looks great Martin - i'm going to try that out this weekend. - Dustin On Nov 30, 2011, at 2:32 PM, Martin Holste wrote:
It's tough to beat Snorby for just Snort data, but if you'd also like your console to contain URL data and router/server logs, and since you're already doing syslog, you may want to check out my ELSA project: http://code.google.com/p/enterprise-log-search-and-archive/ . On Wed, Nov 30, 2011 at 1:03 PM, beenph <beenph () gmail com> wrote:On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:Right now, I'm logging my snort alerts back to a syslog server but I'd like to start playing with Snorby. Please correct me if I'm wrong but I think the ideal way to do this would be to log via unified2 and use barnyard to send the alert data to snorby's DB but I can't lose my syslog functionality. I really wish barnyard was able to do this on non-Windows boxes! But what would be the best way to achieve this short of running two separate snort instances?If you need local syslog and forward them, barnyard2 currently support this on windows and non windows system. If you need remote syslog logging You can access the feature in its current branch branch via https://github.com/binf/barnyard2/tree/RemoteSyslogFix Also If you look in the provided barnyard2.conf you can see output plugin conf example. Note that it use a slightly different logging message format from the default snort format, but you have the possibility to configure field delimiters and separators from the config file. Configuration example for remote syslog # alert_syslog # ---------------------------------------------------------------------------- # # Purpose: # This output module provides the abilty to output alert information to local syslog # # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO) # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0) # # Examples: # output alert_syslog # output alert_syslog: LOG_AUTH LOG_INFO # # syslog_full #------------------------------- # Available as both a log and alert output plugin. Used to output data via TCP/UDP # Arguments: # sensor_name $sensor_name - unique sensor name # server $server - server the device will report to # protocol $protocol - protocol device will report over (tcp/udp) # port $port - destination port device will report to (default: 514) # detail $detail_threshold - specify full/complete log reporting or only summaries. # delimiters - define a character that will delimit message sections ex: "|", will use | as message section delimiters. (default: |) # separators - define field separator included in each message ex: " " , will use space as field separator. (default: [:space:]) # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol tcp, port 514 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol tcp, port 514 If you have barnyard2 related question, your also welcome to send it over the by2 ML's. -elz ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to best do DB *and* syslog logging? Miguel Alvarez (Nov 30)
- Re: How to best do DB *and* syslog logging? Joel Esler (Nov 30)
- Re: How to best do DB *and* syslog logging? Eoin Miller (Nov 30)
- Re: How to best do DB *and* syslog logging? beenph (Nov 30)
- Re: How to best do DB *and* syslog logging? Martin Holste (Nov 30)
- Re: How to best do DB *and* syslog logging? Dustin Webber (Nov 30)
- Re: How to best do DB *and* syslog logging? Miguel Alvarez (Nov 30)
- Re: How to best do DB *and* syslog logging? beenph (Dec 01)
- Re: How to best do DB *and* syslog logging? Martin Holste (Nov 30)