Re: Send snort alerts via syslog to ArcSight

[beenph <beenph () gmail com>]

On Mon, Oct 1, 2012 at 5:05 PM, Joel Esler <jesler () sourcefire com> wrote:
> I believe (and that means I'm probably totally wrong about this), but I
> believe barnyard's syslog format differs slightly from the built in Snort
> format.
>
> Someone correct me if I wrong on that?

@joel
2-1.10 uses the same format if someone uses syslog_full output plugin.


@Pablo
download barnyard2 2-1.10

and configure the following output plugin:

# syslog_full
#-------------------------------
# Available as both a log and alert output plugin. Used to output data
via TCP/UDP or LOCAL ie(syslog())
# Arguments:
# sensor_name $sensor_name - unique sensor name
# server $server - server the device will report to
# local - if defined, ignore all remote information and use syslog()
to send message.
# protocol $protocol - protocol device will report over (tcp/udp)
# port $port - destination port device will report to (default: 514)
# delimiters $delimiters - define a character that will delimit
message sections ex: "|", will use | as message section delimiters.
(default: |)
# separators $separators - define field separator included in each
message ex: " " , will use space as field separator. (default:
[:space:])
# operation_mode $operaion_mode - default | complete : default mode is
compatible with default snort syslog message, complete prints more
information such as the raw packet (hexed)
# log_priority $log_priority - used by local option for syslog
priority call. (man syslog(3) for supported options) (default:
LOG_INFO)
# log_facility $log_facility - used by local option for syslog
facility call. (man syslog(3) for supported options) (default:
LOG_USER)
# Usage Examples:
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, local
# output log_syslog_full: sensor_name snortIds1-eth2, local,
log_priority LOG_CRIT,log_facility LOG_CRON

Just make sure that operation_mode is set to default and it should be
like snort syslog output.

-elz

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!