Snort mailing list archives
Re: Send snort alerts via syslog to ArcSight
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 1 Oct 2012 17:05:55 -0400
I believe (and that means I'm probably totally wrong about this), but I believe barnyard's syslog format differs slightly from the built in Snort format. Someone correct me if I wrong on that? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 1, 2012, at 4:30 PM, Pablo Atiaga <pablo.atiaga () e-govsolutions net> wrote:
Thanks for your answer. Barnyard is sending all the parameters, the problem is that ArcSight don't recognize it as Snort Events. I mean the problem is the following: Vía Snort i can't send any event via syslog. I do the folowing steps: Locate and open the main Snort configuration file to edit: <Snort_home>/etc/snort.conf Locate the # syslog section. In the following line, replace <hostipaddress> with your own host IP address: output alert_syslog: host=<hostipaddress>:514, LOG_AUTH LOG_ALERT where <hostipaddress> is the IP address of your syslog host. Start Snort with the -s option; for example: C:\Snort>bin\snort -c etc\snort.conf -s On the other hand I try send events using barynard succesfully but the format of the events is not recognized by ArcSight. The format send from barnyard is as follows: Sep 25 16:59:09 130.2.17.46 [1:2003195:5] ET POLICY Unusual number of DNS No Such Name Responses [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 130.2.18.110:53 -> 130.10.0.64:48640 Thanks. Regards El 27/09/2012 15:54, beenph escribió:On Thu, Sep 27, 2012 at 4:36 PM, Pablo Atiaga <pablo.atiaga () e-govsolutions net> wrote:Hi everyone. I need to send snort alert to ArcSight via syslog, i found a configuration just changing one line in the snort.conf but it doesn't work. I already try sending events with other application and with barnyard and work, but i need to send from snort directly because that's the only way to send all the parameters correctly. I'm using snort 2.9.3.1.All parameters? I am interested to see which parameters are missing in barnyard2 v2-1.10 syslog_full output module? -elz ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Pablo Alberto Atiaga Galeas IT Security Specialist EGOVERMENT SOLUTIONS S.A. +593-93343553 +593-92709534 skype: pablo_ati_g ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Send snort alerts via syslog to ArcSight Pablo Atiaga (Oct 01)
- Re: Send snort alerts via syslog to ArcSight Joel Esler (Oct 01)
- Re: Send snort alerts via syslog to ArcSight beenph (Oct 01)
- Re: Send snort alerts via syslog to ArcSight Joel Esler (Oct 01)