8 Replies Latest reply on Oct 13, 2014 3:47 PM by evanr

    snort output server setup

    techfdm4

      I have a physical snort box, and I am trying to get it to send logs to my SolarWinds LEM, I set it to the output to the IP of the SolarWinds LEM but it doesn't pick up anything. I am using OpenSuse 13.1 in the snort.conf file I have put the output to the LEM server, is there anyone that has successfully set this up to work. I want it to work using a physical Snort Box and sending the logs to the LEM server to receive logs so that it can capture traffic on the IDS Scan/Attack Activity on LEM for monitoring.

       

      I have tried many different combos with no luck, my Snort is creating logs but the LEM server isn't receiving them even though I point it to that server. I just need the correct configuration so that the LEM can start logging.

       

      Any help would be greatly appreciated, remember this is not with the Snort on the LEM, this would be from a Snort Box.

       

      Thank You,

       

      Marcel

        • Re: snort output server setup
          evanr

          Whats in your # syslog entry in your snort.conf?  It should look something similar to the following.

           

          output alert_syslog: 1.1.1.1:514, LOG_AUTH LOG_ALERT.  We have ours going to user.log

           

          You also want to make sure your running snort with the -s flag.  Which will allow it to be sent to a syslog.

           

          You would also then set up a connector on the appliance to log to your facility.

           

          Capture.JPG

            • Re: snort output server setup
              techfdm4

              I have 2 NICs on this physical Linux pc (OpenSUSE 13.1) one is in promiscuous mode, now do you need the snort daemon running, could you show me the snort command that you use to get the logs. I have read so many different combos it can be very overwhelming, I am very new to Snort it's a whole ball of wax to me. Your advise is very appreciated, but I am a newbie to this, now the NIC that it should be listening on is the one in promiscuous mode right?

               

              I thank you for any assistance you can provide, someone who has this working with Snort should create a tutorial on how to set it all up. What I mean by this is the installation and setting up of Snort, then setting it to work with Snort in SolarWinds Log and Event Manager.

               

              Marcel

                • Re: snort output server setup
                  evanr

                  Yes the promiscuous NIC is the device that should be listed in the .conf file.  So for example our physical box has 3 nics.  Our management interface, our internal LAN, and our DMZ network.  We have two separate conf files one for eth1 (LAN) and one for eth2 (DMZ).

                   

                  snort.eth1.conf:

                  ipvar HOME_NET LAN ip range/21

                   

                  snort.eth2.conf:

                  ipvar HOME_NET DMZ ip range/21

                   

                  In Debian the package contains a snort.debian.conf which tells the snort daemon what flags to run.  This is where the promisc NICs are entered.

                   

                  DEBIAN_SNORT_STARTUP=boot

                  DEBIAN_SNORT_HOME_NET="LAN ip range/21,DMZ ip range/21"

                  DEBIAN_SNORT_OPTIONS="-A fast -s"

                  DEBIAN_SNORT_INTERFACE="eth1 eth2"

                  DEBIAN_SNORT_STATS_RCPT="root"

                  DEBIAN_SNORT_STATS_THRESHOLD="1"

                   

                   

                  eth1      Link encap:Ethernet  HWaddr 00:c0:9f:40:3b:c4

                            inet6 addr: fe80::2c0:9fff:fe40:3bc4/64 Scope:Link

                            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

                            RX packets:729425951 errors:10 dropped:764 overruns:0 frame:6

                            TX packets:6312 errors:0 dropped:0 overruns:0 carrier:0

                            collisions:0 txqueuelen:1000

                            RX bytes:4096109712 (3.8 GiB)  TX bytes:265320 (259.1 KiB)

                   

                   

                  eth2      Link encap:Ethernet  HWaddr 00:c0:9f:40:3b:c5

                            inet6 addr: fe80::2c0:9fff:fe40:3bc5/64 Scope:Link

                            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

                            RX packets:11512538 errors:0 dropped:149 overruns:0 frame:0

                            TX packets:6 errors:0 dropped:0 overruns:0 carrier:0

                            collisions:0 txqueuelen:1000

                            RX bytes:824252137 (786.0 MiB)  TX bytes:468 (468.0 B)

                   

                  snort    10888  8.4  8.5 775728 344632 ?       Ssl  06:25  15:12 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -A fast -s -c /etc/snort/snort.eth1.conf -S HOME_NET=[LAN ip range/21,DMZ ip range/21] -i eth1

                  snort    10921  0.1  6.4 775744 259140 ?       Ssl  06:26   0:10 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -A fast -s -c /etc/snort/snort.eth2.conf -S HOME_NET=[LAN ip range/21,DMZ ip range/21] -i eth2

                   

                  I'm note sure if the .debian.conf exists in SUSE or not.  I would imagine it doesn't.  You may want to look at a tutorial at getting Snort setup first.  Then attempt to integrate LEM.  The LEM part is just a matter of outputting the logs and setting up your connector.

                   

                  This will run it in daemon mode, use the snort.conf config file and log to /var/log/snort.

                  snort -D -c /etc/snort/snort.conf -l /var/log/snort/