Snort

Snort is an open source network intrusion detection system that can detect threats and is a Security Onion solution.

Before You Begin

You must configure each individual machine that has Snort logs to send data to InsightIDR.

From an instance that was running Snort as part of Security Onion, the Snort logs are from each individual machine and will appear in InsightIDR with the following steps.

To send Snort logs to InsightIDR:

  1. Stop the Snort and the syslog-ng services.
  2. Modify Barnyard2-1.conf by running sudo nano /etc/nsm/<insert sniffing interface here>/barnyard2-1.conf .
  3. Add the following line: output log_syslog_full: sensor_name $sensor-name, local
text
1
output log_syslog_full: sensor_name $sensor-name, local
  1. Save the file.
  2. Modify the file syslog-ng.conf by running the followinf command: sudo nano /etc/syslog-ng/syslog-ng.conf
  3. Find the line log { source(s_syslog); destination(d_net); };
  4. Add the following above it: destination d_net { tcp("$your_collector_ip" port(¢event_source-port) log_fifo_size(1000)); };
  5. Save the file.
  6. Restart syslog-ng with the following command: sudo service syslog-ng restart
  7. Restart snort and barnyard and run the following command: sudo rule-update

You should now be able to see Snort logs in InsightIDR.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Snort in the event sources search bar.
    • In the Product Type filter, select IDS.
  3. Select the Snort event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save