Configuring a Snort IDS
Firmware: ALL
Snort IDS 2.9.2.3 and earlier
To configure Snort IDS 2.9.2.3 or earlier to send log messages to TLC:
1. | Open the snort.conf file. |
2. | Add the following line: |
output database: alert, mysql, user=<DB_User> password=<DB_Pass> dbname=<Database_Name> host=<DB_Server_IP> sensor_name=<Sensor_Name> ignore_bpf=yes
Example:
output database: alert, mysql, user=snort password=Pass dbname=ids host=127.0.0.1 sensor_name=SnortDMZ ignore_bpf=yes
3. | Restart Snort. |
Next |
If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. Otherwise, see Adding a Monitored Asset for a new Log Source. |
---|
Snort IDS 2.9.3.0 and later
To configure Snort IDS 2.9.3.0 or later to send log messages to TLC:
1. | Open the snort.conf file. |
2. | Add the following line to enable Snort to output log files in Unified2 format: |
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
3. | Restart Snort. |
4. | Download and install the latest Barnyard2 third-party library on your Snort server: |
https://github.com/firnsy/barnyard2/releases
With the installer (./autogen.sh), create a configuration pointing to your MySQL libraries; for example:
./configure --with-mysql-with-libraries=/usr/lib64/mysql
5. | Compile the installer. |
6. | Open the Barnyard2 configuration file (barnyard2.conf) in: |
/usr/local/etc
7. | In the Barnyard2 configuration file, add the following line: |
output database: alert, mysql, user=<DB_User> password=<DB_Pass> dbname=<Database_Name> host=<DB_Server_IP> sensor_name=<Sensor_Name> ignore_bpf=yes
Example:
output database: alert, mysql, user=snort password=Pass dbname=ids host=127.0.0.1 sensor_name=SnortDMZ ignore_bpf=yes
8. | To test your Barnyard2 configuration, run the following command in batch mode: |
barnyard2 -c /usr/local/etc/barnyard2.conf -o <snort_log>
Where <snort_log> is the name of a Snort log file (e.g., snort.log.1418337318) to be collected by TLC.
Once Barnyard2 starts, event information should eventually populate your Snort database tables.
Next |
If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. Otherwise, see Adding a Monitored Asset for a new Log Source. |
---|