Snort
Overview
Snort "is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats."
Before You Begin
From an instance that was running Snort as part of Security Onion, the Snort logs are from each individual machine and will appear in InsightOps with the following steps.
1: Modify Barnyard2-1.conf by running sudo nano /etc/nsm/<insert sniffing interface here>/barnyard2-1.conf
. From here add the following line
text
1output log_syslog_full: sensor_name $sensor-name, local
- Then save the file.
2: Modify syslog-ng.conf by running sudo nano /etc/syslog-ng/syslog-ng.conf
and add the following line above log { source(s_syslog); destination(d_net); };
text
1destination d_net { tcp("$your_collector_ip" port(¢event_source-port) log_fifo_size(1000)); };
- Then save the file.
3: Open a terminal to cycle the services
- Restart syslog-ng with the following command:
text
1sudo service syslog-ng restart
- Restart snort and barnyard and run the following command:
text
1sudo rule-update
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu
- At the top right of the page, select Add Data
- Select the IDS icon from the Security Data section
- Select your collector, and optionally name your event source
- From the list of event source options, choose Snort
- Choose a timezone, or optionally choose a US timezone
- Optionally choose to send unfiltered logs
- Configure inactivity timeout threshold in minutes.
- Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
- If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called
Rapid7CA.pem
and will allow InsightOps and Snort to "trust" each other during log forwarding.
Did this page help you?