Snort setting up

Is there anyone lately setup Snort with SEM, I investigated instructions by SolarWinds which was old and useless; also talked with their customer support which was also useless. I have bunch of questions

Thank you in advance

Parents
  • There are two different snort rules on is for direct device typically Linux with snort second one is syslog snort.  This allows for snort rules to be send via syslog to you SEM.

    For Snort connector there has been 32 revision of this connected the problem is that there is not log of what as changed in these revision so you will need to find out what does it pick up.

    For syslog snort there was been also been 32 revisions. as well.

    Not the ideal solution is I add the connectors to my desktop pc and review the connect parse 

    in windows endpoint is located here C:\Windows\SysWOW64\ContegoSPOP\tools

    This contain the regex it search and parse logs.

    Considering this is control by the SolarWinds connector team this get overridden with new changes as denoted by revision number.

    so I recommend if snort is running on linux use the snort agent and select the correct path. (agent on node base)

    If using a windows based snort you will have to send via syslog snort and meaning the connect is installed as agentless not agent based hopes that helps.

  • Thank you, I have one more question, so i was able to connect snort to SEM but its not reading logs but in SEM itself it shows this java.io.FileNotFoundException, I was wondering should logging on snort should be JSON format, if that so do you know where I can find JSON format and variables readable by SEM. 

    Thank you!

  • This means the path is not right in connector.  

    ssh to SEM and goto appliance >> checklogs and see if the snort alert log has data? this is option 3.

    If there is data then it will display file path to but in connector.  

    If not the snort logs are in one of the other 24 logs files find the right one and add the path.

Reply Children