Snort mailing list archives
Re: Snort->OSSIM Sensor only, unified2?
From: "Tudor Panaitescu" <TPanaitescu () colorcon com>
Date: Wed, 11 Jan 2012 14:59:38 -0500
Hi I got it running on a RHEL 5 environment but I'd say it should work w/o problems as ossim is running natively on debian. I had some issues on mine w/ python versions etc. and I had to go a little into the code for minor changes. Now, in /etc/ossim/agent/config.cfg make sure you have the proper plugin enabled, I have something like this: snortunified=/etc/ossim/agent/plugins/snortunified.cfg obviously you need to have snortunified.cfg under plugins dir. Take a look below @ my config, I hope it helps. Let me know if you need additional info and/or you have any questions. Thanks and good luck ! T Cut here >---------------------- ;; snort ;; type: detector ;; plugin_id: 1001 ;; ;; $Id: snortunified.cfg,v 1.9 2010/02/20 09:13:10 dkarg Exp $ [DEFAULT] plugin_id=1001 [config] interface=eth1 type=detector enable=yes source=snortlog #process=snortd #start=no ; launch plugin process when agent starts #stop=no ; shutdown plugin process when agent stops #startup=/etc/init.d/%(process)s start ; shutdown=killall -9 %(process)s #shutdown=/etc/init.d/%(process)s stop process= start= ; launch plugin process when agent starts stop= ; shutdown plugin process when agent stops startup= shutdown= directory=/var/log/snort/ ;log file prefix. This is the same than filename parameter in snort.cfg prefix=snort.log ;NOTE: You must choose between cookedlinux or ethernet depending on your snort configuration. ; - cookedlinux is used when you use snort with "-i any" on linux. ; - ethernet is used when snort starts with just one interface defined (eth0, eth1...), and not "any" linklayer=ethernet ;linklayer=cookedlinux ; NOTE: You must specify the version number of the unified format being used ; 1 = unified version 1 ; 2 = unified version 2 unified_version=2 ;NOTE: directory+prefix (snort unified plugin) = location (all the other plugins) Cut here >---------------------------------------------------------- From: "Dewhirst, Rob" <robdewhirst () gmail com> To: snort-users () lists sourceforge net, Date: 01/11/2012 02:44 PM Subject: Re: [Snort-users] Snort->OSSIM Sensor only, unified2? Oh I suppose that would be helpful. :) OSSIM 3.1. Ubuntu 10.0.4 LTS amd64 for the sensor. On Wed, Jan 11, 2012 at 11:10 AM, Tudor Panaitescu < TPanaitescu () colorcon com> wrote: Hi Rob Can you please provide some details, like OS, version, ossim version etc. ? Thanks, Tudor Inactive hide details for "Dewhirst, Rob" ---01/11/2012 12:02:23 PM---Can anyone share any documentation they have for getting "Dewhirst, Rob" ---01/11/2012 12:02:23 PM---Can anyone share any documentation they have for getting a snort sensor (only a sensor) pushing unif From: "Dewhirst, Rob" <robdewhirst () gmail com> To: snort-users () lists sourceforge net, Date: 01/11/2012 12:02 PM Subject: [Snort-users] Snort->OSSIM Sensor only, unified2? Can anyone share any documentation they have for getting a snort sensor (only a sensor) pushing unified2 logs to a remote OSSIM console? I found some fragments of instructions on the alienware forums and I got the ossim-agent up and running on the sensor and connecting back to the OSSIM server, but it's not sending any events. (and I know events are occuring because I send them to another snorby server). ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------------------- Colorcon - Your Formulation Partner Visit us at http://www.colorcon.com Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you print this e-mail. "This e-mail may contain information that is confidential or privileged. If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify the sender and delete the e-mail and any attachments. Thank you." ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------------------- Colorcon - Your Formulation Partner Visit us at http://www.colorcon.com Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you print this e-mail. "This e-mail may contain information that is confidential or privileged. If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify the sender and delete the e-mail and any attachments. Thank you."
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort->OSSIM Sensor only, unified2? Dewhirst, Rob (Jan 11)
- Re: Snort->OSSIM Sensor only, unified2? Tudor Panaitescu (Jan 11)
- Re: Snort->OSSIM Sensor only, unified2? Dewhirst, Rob (Jan 11)
- Re: Snort->OSSIM Sensor only, unified2? Tudor Panaitescu (Jan 11)
- Re: Snort->OSSIM Sensor only, unified2? Dewhirst, Rob (Jan 11)
- Re: Snort->OSSIM Sensor only, unified2? Tudor Panaitescu (Jan 11)