Snort

Snort is an open source network intrusion detection system that can detect threats and is a Security Onion solution.

Before You Begin

You must configure each individual machine that has Snort logs to send data to InsightIDR.

From an instance that was running Snort as part of Security Onion, the Snort logs are from each individual machine and will appear in InsightIDR with the following steps.

To send Snort logs to InsightIDR:

1. Stop the Snort and the syslog-ng services.
2. Modify Barnyard2-1.conf by running sudo nano /etc/nsm/<insert sniffing interface here>/barnyard2-1.conf .
3. Add the following line: output log_syslog_full: sensor_name $sensor-name, local

text
1
output log_syslog_full: sensor_name $sensor-name, local

4. Save the file.
5. Modify the file syslog-ng.conf by running the followinf command: sudo nano /etc/syslog-ng/syslog-ng.conf
6. Find the line log { source(s_syslog); destination(d_net); };
7. Add the following above it: destination d_net { tcp("$your_collector_ip" port(¢event_source-port) log_fifo_size(1000)); };
8. Save the file.
9. Restart syslog-ng with the following command: sudo service syslog-ng restart
10. Restart snort and barnyard and run the following command: sudo rule-update

You should now be able to see Snort logs in InsightIDR.

How to Configure This Event Source in InsightIDR

1. From your dashboard, select Data Collection on the left hand menu.
2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the “Security Data” section, click the IDS icon. The “Add Event Source” panel appears.
4. Choose your collector and event source. You can also name your event source if you want.
5. Choose the timezone that matches the location of your event source logs.
6. Optionally choose to send unparsed logs.
7. Select a collection method and specify a port and a protocol.
   • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
8. Click Save