'Re: [Snort-users] Snort alert fast, barnyard2 output fast and Logstash'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] Snort alert fast, barnyard2 output fast and Logstash
From:       Tarek Ben Soltane via Snort-users <snort-users () lists ! snort ! org>
Date:       2017-10-30 12:34:44
Message-ID: CAHLsmERKPUMavpQxRKNBDp0hiXGeVV6710tEVtpymNVL3om2mA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

I would like to answer my own message:

There were rules from ET that were not included (updated) to my file
"sid-msg.map" within Pulledpork. It appears that Pulledpork can't update
any ET rules since Snort got upgraded to 2.9.11.
My solution was to download ET rules manually (to /tmp) and update
"sid-msg.map" while running Pulledpork with option "-P". Now my alerts work
with barnyard2 and logstash as I wanted.
I hope this can help others.

Best regards,
Tarek Ben Soltane

On Mon, Oct 30, 2017 at 10:30 AM, Tarek Ben Soltane <tbsoltane@gmail.com>
wrote:

> Dear All,
> I hope you are doing great.
>
> I have successfully configured Barnyard2 to write to mysql and then Base
> picks up the information and displays correctly.
>
> I have then decided to add the option "output alert_fast tofile" and send
> that same file to Logstash. Barnyard2 is able to write correctly to that
> file but when Logstash displays it, it is missing the "reference";
> "classification", "gen-msg" and "sid-msg" of the rule used.
>
> For example:
> Here is a logstash output:
> "[1:2010935:2] Snort Alert [1:2010935:2] [**] [Classification: Potentially
> Bad Traffic] [Priority: 2] {TCP} X.X.X.X:52727 -> X.X.X.X:1433"
>
>
> Now for Base, here is output for the same rule:
> "ET POLICY Suspicious inbound to MSSQL port 1433"
>
> It looks like barnyard2 doesn't read "reference"; "classification",
> "gen-msg" and "sid-msg" files when it comes to "output alert_fast".
>
> In the other hand, in Snort, if I use in command line option "-A fast",
> the output is fine for Logstash.
>
> Best regards,
> Tarek
>

[Attachment #5 (text/html)]

<div dir="ltr"><div><div><div>I would like to answer my own \
message:<br><br></div>There were rules from ET that were not included (updated) to my \
file &quot;sid-msg.map&quot; within Pulledpork. It appears that Pulledpork can&#39;t \
update any ET rules since Snort got upgraded to 2.9.11. <br></div><div>My solution \
was to download ET rules manually (to /tmp) and update &quot;sid-msg.map&quot; while \
running Pulledpork with option &quot;-P&quot;. Now my alerts work with barnyard2 and \
logstash as I wanted.<br></div><div>I hope this can help \
others.<br></div><div><br></div>Best regards,<br></div>Tarek Ben Soltane \
<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 30, 2017 \
at 10:30 AM, Tarek Ben Soltane <span dir="ltr">&lt;<a \
href="mailto:tbsoltane@gmail.com" target="_blank">tbsoltane@gmail.com</a>&gt;</span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><div dir="ltr">Dear All,<br>I hope you are doing \
great.<br><br>I have successfully configured Barnyard2 to write to mysql and then \
Base picks up the information and displays correctly.<br><br>I  have then decided to \
add the option &quot;output alert_fast tofile&quot; and send  that same file to \
Logstash. Barnyard2 is able to write correctly to  that file but when Logstash \
displays it, it is missing the &quot;reference&quot;;  &quot;classification&quot;, \
&quot;gen-msg&quot; and &quot;sid-msg&quot; of the rule used.<br><br>For \
example:<br>Here is a logstash output:<br>&quot;[1:2010935:2]  Snort Alert \
[1:2010935:2] [**] [Classification: Potentially Bad  Traffic] [Priority: 2] {TCP} \
X.X.X.X:52727 -&gt; X.X.X.X:1433&quot;<br><br><br>Now for Base, here is output for \
the same rule:<br>&quot;ET POLICY Suspicious inbound to MSSQL port \
1433&quot;<br><br>It  looks like barnyard2 doesn&#39;t read &quot;reference&quot;; \
&quot;classification&quot;,  &quot;gen-msg&quot; and &quot;sid-msg&quot; files when \
it comes to &quot;output alert_fast&quot;.<br><br>In the other hand, in Snort, if I \
use in command line option &quot;-A fast&quot;, the output is fine for \
Logstash.<br><br>Best regards,<br>Tarek</div> </blockquote></div><br></div>

_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

[prev in list] [next in list] [prev in thread] [next in thread] 