Configuring a Snort IDS

Firmware: ALL

Collector: Database Collector

Snort IDS 2.9.2.3 and earlier

To configure Snort IDS 2.9.2.3 or earlier to send log messages to TLC:

1. Open the snort.conf file.
2. Add the following line:

output database: alert, mysql, user=<DB_User> password=<DB_Pass> dbname=<Database_Name> host=<DB_Server_IP> sensor_name=<Sensor_Name> ignore_bpf=yes

Example:

output database: alert, mysql, user=snort password=Pass dbname=ids host=127.0.0.1 sensor_name=SnortDMZ ignore_bpf=yes

3. Restart Snort.

Next

If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment.

Otherwise, see Adding an Asset for a new Log Source.

Snort IDS 2.9.3.0 and later

To configure Snort IDS 2.9.3.0 or later to send log messages to TLC:

1. Open the snort.conf file.
2. Add the following line to enable Snort to output log files in Unified2 format:

output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

3. Restart Snort.
4. Download and install the latest Barnyard2 third-party library on your Snort server:

https://github.com/firnsy/barnyard2/releases

With the installer (./autogen.sh), create a configuration pointing to your MySQL libraries; for example: 

./configure --with-mysql-with-libraries=/usr/lib64/mysql

5. Compile the installer.
6. Open the Barnyard2 configuration file (barnyard2.conf) in: 

/usr/local/etc

7. In the Barnyard2 configuration file, add the following line: 

output database: alert, mysql, user=<DB_User> password=<DB_Pass> dbname=<Database_Name> host=<DB_Server_IP> sensor_name=<Sensor_Name> ignore_bpf=yes

Example:

output database: alert, mysql, user=snort password=Pass dbname=ids host=127.0.0.1 sensor_name=SnortDMZ ignore_bpf=yes

8. To test your Barnyard2 configuration, run the following command in batch mode: 

barnyard2 -c /usr/local/etc/barnyard2.conf -o <snort_log>

Where <snort_log> is the name of a Snort log file (e.g., snort.log.1418337318) to be collected by TLC.

Once Barnyard2 starts, event information should eventually populate your Snort database tables.

Next

If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment.

Otherwise, see Adding an Asset for a new Log Source.