Snort

Overview

Snort "is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats."

Before You Begin

From an instance that was running Snort as part of Security Onion, the Snort logs are from each individual machine and will appear in InsightOps with the following steps.

1: Modify Barnyard2-1.conf by running sudo nano /etc/nsm/<insert sniffing interface here>/barnyard2-1.conf . From here add the following line


text
1
output log_syslog_full: sensor_name $sensor-name, local

Then save the file.

2: Modify syslog-ng.conf by running sudo nano /etc/syslog-ng/syslog-ng.conf and add the following line above log { source(s_syslog); destination(d_net); };


text
1
destination d_net { tcp("$your_collector_ip" port(¢event_source-port) log_fifo_size(1000)); };

Then save the file.

3: Open a terminal to cycle the services

Restart syslog-ng with the following command:


text
1
sudo service syslog-ng restart

Restart snort and barnyard and run the following command:


text
1
sudo rule-update

How to Configure This Event Source

From your dashboard, select Data Collection on the left hand menu
At the top right of the page, select Add Data
Select the IDS icon from the Security Data section
Select your collector, and optionally name your event source
From the list of event source options, choose Snort
Choose a timezone, or optionally choose a US timezone
Optionally choose to send unfiltered logs
Configure inactivity timeout threshold in minutes.
Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Snort to "trust" each other during log forwarding.

Did this page help you?