• State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 22 subscribers
  • Views 1313 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

snort output server setup

techfdm4

I have a physical snort box, and I am trying to get it to send logs to my SolarWinds LEM, I set it to the output to the IP of the SolarWinds LEM but it doesn't pick up anything. I am using OpenSuse 13.1 in the snort.conf file I have put the output to the LEM server, is there anyone that has successfully set this up to work. I want it to work using a physical Snort Box and sending the logs to the LEM server to receive logs so that it can capture traffic on the IDS Scan/Attack Activity on LEM for monitoring.

I have tried many different combos with no luck, my Snort is creating logs but the LEM server isn't receiving them even though I point it to that server. I just need the correct configuration so that the LEM can start logging.

Any help would be greatly appreciated, remember this is not with the Snort on the LEM, this would be from a Snort Box.

Thank You,

Marcel

  • 0

    Whats in your # syslog entry in your snort.conf?  It should look something similar to the following.

    output alert_syslog: 1.1.1.1:514, LOG_AUTH LOG_ALERT.  We have ours going to user.log

    You also want to make sure your running snort with the -s flag.  Which will allow it to be sent to a syslog.

    You would also then set up a connector on the appliance to log to your facility.

    Capture.JPG

  • 0 in reply to evanr

    I have 2 NICs on this physical Linux pc (OpenSUSE 13.1) one is in promiscuous mode, now do you need the snort daemon running, could you show me the snort command that you use to get the logs. I have read so many different combos it can be very overwhelming, I am very new to Snort it's a whole ball of wax to me. Your advise is very appreciated, but I am a newbie to this, now the NIC that it should be listening on is the one in promiscuous mode right?

    I thank you for any assistance you can provide, someone who has this working with Snort should create a tutorial on how to set it all up. What I mean by this is the installation and setting up of Snort, then setting it to work with Snort in SolarWinds Log and Event Manager.

    Marcel

  • 0 in reply to techfdm4

    Yes the promiscuous NIC is the device that should be listed in the .conf file.  So for example our physical box has 3 nics.  Our management interface, our internal LAN, and our DMZ network.  We have two separate conf files one for eth1 (LAN) and one for eth2 (DMZ).

    snort.eth1.conf:

    ipvar HOME_NET LAN ip range/21

    snort.eth2.conf:

    ipvar HOME_NET DMZ ip range/21

    In Debian the package contains a snort.debian.conf which tells the snort daemon what flags to run.  This is where the promisc NICs are entered.

    DEBIAN_SNORT_STARTUP=boot

    DEBIAN_SNORT_HOME_NET="LAN ip range/21,DMZ ip range/21"

    DEBIAN_SNORT_OPTIONS="-A fast -s"

    DEBIAN_SNORT_INTERFACE="eth1 eth2"

    DEBIAN_SNORT_STATS_RCPT="root"

    DEBIAN_SNORT_STATS_THRESHOLD="1"

    eth1      Link encap:Ethernet  HWaddr 00:c0:9f:40:3b:c4

              inet6 addr: fe80::2c0:9fff:fe40:3bc4/64 Scope:Link

              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

              RX packets:729425951 errors:10 dropped:764 overruns:0 frame:6

              TX packets:6312 errors:0 dropped:0 overruns:0 carrier:0

              collisions:0 txqueuelen:1000

              RX bytes:4096109712 (3.8 GiB)  TX bytes:265320 (259.1 KiB)

    eth2      Link encap:Ethernet  HWaddr 00:c0:9f:40:3b:c5

              inet6 addr: fe80::2c0:9fff:fe40:3bc5/64 Scope:Link

              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

              RX packets:11512538 errors:0 dropped:149 overruns:0 frame:0

              TX packets:6 errors:0 dropped:0 overruns:0 carrier:0

              collisions:0 txqueuelen:1000

              RX bytes:824252137 (786.0 MiB)  TX bytes:468 (468.0 B)

    snort    10888  8.4  8.5 775728 344632 ?       Ssl  06:25  15:12 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -A fast -s -c /etc/snort/snort.eth1.conf -S HOME_NET=[LAN ip range/21,DMZ ip range/21] -i eth1

    snort    10921  0.1  6.4 775744 259140 ?       Ssl  06:26   0:10 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -A fast -s -c /etc/snort/snort.eth2.conf -S HOME_NET=[LAN ip range/21,DMZ ip range/21] -i eth2

    I'm note sure if the .debian.conf exists in SUSE or not.  I would imagine it doesn't.  You may want to look at a tutorial at getting Snort setup first.  Then attempt to integrate LEM.  The LEM part is just a matter of outputting the logs and setting up your connector.

    This will run it in daemon mode, use the snort.conf config file and log to /var/log/snort.

    snort -D -c /etc/snort/snort.conf -l /var/log/snort/

  • 0 in reply to evanr

    I want to thank you again for your advice, now my problem is that it is making logs but they have to be in text format, not binary.

    Would the command to do so be: snort -D -c /etc/snort/snort.conf -l  -K ascii /var/log/snort/, the reason I need this in text format is because the LEM appliance can't read logs in binary format.

  • 0 in reply to techfdm4

    Would this command be more accurate: snort -D -de -c /etc/snort.conf -A fast.

  • 0 in reply to techfdm4

    -K ascii would be the correct flag if you wanted them in plain text.  From your command I don't see you logging it in binary however. 

  • 0 in reply to evanr

    This is what I am looking for, I want Snort to log Alert logs in text format. Now I am not sure which command would be appropriate, I have tried snort -D -c /etc/snort/snort.conf -l  -K ascii /var/log/snort/ and it shows a log. This log is not capturing alerts, it is showing all ICMP traffic, at a IP of 127.0.0.2 this is a loopback IP.

    Could you show me what command you use to get alerts and save them in text mode.

  • 0 in reply to techfdm4

    Did you specify the subnets you want to sniff traffic on in your snort.conf file? Or in our case we have two separate subnets and use the following:

    -S HOME_NET=[your subnet/whatever] -i eth1

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.