Snort mailing list archives
Re: Send snort alerts via syslog to ArcSight
From: Pablo Atiaga <pablo.atiaga () e-govsolutions net>
Date: Mon, 01 Oct 2012 15:30:37 -0500
Thanks for your answer.Barnyard is sending all the parameters, the problem is that ArcSight don't recognize it as Snort Events. I mean the problem is the following:
* Vía Snort i can't send any event via syslog. I do the folowing steps:
o Locate and open the main Snort configuration file to edit:
<Snort_home>/etc/snort.conf
o Locate the # syslog section.
o In the following line, replace <hostipaddress> with your own
host IP address:
output alert_syslog: host=<hostipaddress>:514, LOG_AUTH LOG_ALERT
where <hostipaddress> is the IP address of your syslog host.
o Start Snort with the -s option; for example:
C:\Snort>bin\snort -c etc\snort.conf -s
* On the other hand I try send events using barynard succesfully but
the format of the events is not recognized by ArcSight. The format
send from barnyard is as follows:
o Sep 25 16:59:09 130.2.17.46 [1:2003195:5] ET POLICY Unusual
number of DNS No Such Name Responses [Classification:
Potentially Bad Traffic] [Priority: 2]: {UDP} 130.2.18.110:53 ->
130.10.0.64:48640
Thanks.
Regards
El 27/09/2012 15:54, beenph escribió:
On Thu, Sep 27, 2012 at 4:36 PM, Pablo Atiaga <pablo.atiaga () e-govsolutions net> wrote:Hi everyone. I need to send snort alert to ArcSight via syslog, i found a configuration just changing one line in the snort.conf but it doesn't work. I already try sending events with other application and with barnyard and work, but i need to send from snort directly because that's the only way to send all the parameters correctly. I'm using snort 2.9.3.1.All parameters? I am interested to see which parameters are missing in barnyard2 v2-1.10 syslog_full output module? -elz ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news!
-- Pablo Alberto Atiaga Galeas IT Security Specialist EGOVERMENT SOLUTIONS S.A. +593-93343553 +593-92709534 skype: pablo_ati_g
------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Send snort alerts via syslog to ArcSight Pablo Atiaga (Oct 01)
- Re: Send snort alerts via syslog to ArcSight Joel Esler (Oct 01)
- Re: Send snort alerts via syslog to ArcSight beenph (Oct 01)
- Re: Send snort alerts via syslog to ArcSight Joel Esler (Oct 01)