Snort

Overview

Snort "is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats."

Before You Begin

From an instance that was running Snort as part of Security Onion, the Snort logs are from each individual machine and will appear in InsightOps with the following steps.

1: Modify Barnyard2-1.conf by running sudo nano /etc/nsm/<insert sniffing interface here>/barnyard2-1.conf . From here add the following line

text
1
output log_syslog_full: sensor_name $sensor-name, local
  • Then save the file.

2: Modify syslog-ng.conf by running sudo nano /etc/syslog-ng/syslog-ng.conf and add the following line above log { source(s_syslog); destination(d_net); };

text
1
destination d_net { tcp("$your_collector_ip" port(¢event_source-port) log_fifo_size(1000)); };
  • Then save the file.

3: Open a terminal to cycle the services

  • Restart syslog-ng with the following command:
text
1
sudo service syslog-ng restart
  • Restart snort and barnyard and run the following command:
text
1
sudo rule-update

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the IDS icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose Snort
  6. Choose a timezone, or optionally choose a US timezone
  7. Optionally choose to send unfiltered logs
  8. Configure inactivity timeout threshold in minutes.
  9. Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
  10. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Snort to "trust" each other during log forwarding.