[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] OSSIM not recieving Snort Alerts
From: Yehor Velykozhon via Snort-users <snort-users () lists ! snort ! org>
Date: 2021-07-30 9:57:04
Message-ID: D53A3A18-7590-4EE8-8263-3F3E7A6BF691 () softserveinc ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hello, Paul Mitbach!
Here is the link to the official website of snort3 with some documentation:
https://www.snort.org/documents
Also, you can check manual in the repository (doc directory):
https://github.com/snort3/snort3
In order to specify any facility in snort, at first you should specify it locally.
Example: https://linux.die.net/man/5/syslog.conf
Manual that you used previously \
(http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00361000000000000000 \
https://seclists.org/snort/2018/q3/310) is related only to snort2.
Thanks, Yehor.
Yehor Velykozhon | yvelyk@softserveinc.com<mailto:yvelyk@softserveinc.com> | Trainee \
| | SoftServe<http://www.softserveinc.com/>
From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of Paul Mitbach \
<p.mitbach@as-hof.de>
Date: Thursday, 29 July 2021 at 23:40
To: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: [Snort-users] OSSIM not recieving Snort Alerts
CAUTION: This email originated from outside the organization. Do not click links or \
open attachments unless you recognize the sender and know the content is safe. Hi I'm \
a complete beginner with Snort and I'm currently trying to achieve a setup where \
snort directly sends the alerts to OSSIM.
The OSSIM server seems to be configured correctly.
When I'm testing with
logger -p local1.info "Test"
I get this on the OSSIM Server.
Something seems to be wrong with the Snort Configuration. It's quite frustrating to \
be honest since it seems like there is no up to date documentation.
Here's my config:
Snort Startup Script:
[Unit]
Description=Snort3 NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 \
-k none -D -u snort -g snort -l /var/log/snort -i ens160 -m 0x1b --create-pidfile
[Install]
WantedBy=multi-user.target
Snort.lua (Config Outputs)
246 alert_syslog = {
247 facility = local1,
248 level = info
249 }
I tried these documentations, but it seems like all of them are outdated at some \
point or there is something missing. \
https://docplayer.net/186068323-Integrating-snort-x-with-the-alienvault-ossim-4-1-siem-on-linux-based-systems.html
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00361000000000000000
https://seclists.org/snort/2018/q3/310
Any help/tips would be greatly appreciated!
Best Regards,
Paul Mitbach
AS-Bau Hof GmbH - Stelzenhofstr. 28 - 95032 Hof
+49 9281 860009-50 (Tel.) * (mobil)
p.mitbach@as-hof.de * https://www.as-hof.de/
********************************************************************
Gesellschaft mit beschränkter Haftung * Sitz: Hof
Handelsregister Hof * HR B 3421
Geschäftsführer:
Dieter Dick * Dr.-Ing. Thomas Dick * Dipl.-Betriebsw. (FH) Susanne Dick
*******************************************************
Informationen zum Datenschutz finden Sie hier:
https://www.as-bau-hof.de/datenschutz
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Open Sans";
panose-1:2 11 6 6 3 5 4 2 2 4;}
@font-face
{font-family:Menlo;
panose-1:2 11 6 9 3 8 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
margin:0cm;
font-size:8.5pt;
font-family:Menlo;
color:black;}
p.p2, li.p2, div.p2
{mso-style-name:p2;
margin:0cm;
font-size:8.5pt;
font-family:Menlo;
color:black;}
span.s1
{mso-style-name:s1;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="#0563C1" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="p1"><span class="s1">Hello, Paul Mitbach!</span><o:p></o:p></p>
<p class="p2"><o:p> </o:p></p>
<p class="p1"><span class="s1">Here is the link to the official website of snort3 \
with some documentation:</span><o:p></o:p></p> <p class="p1"><span \
class="s1">https://www.snort.org/documents</span><o:p></o:p></p> <p \
class="p2"><o:p> </o:p></p> <p class="p1"><span class="s1">Also, you can check \
manual in the repository (doc directory):</span><o:p></o:p></p> <p class="p1"><span \
class="s1">https://github.com/snort3/snort3</span><o:p></o:p></p> <p \
class="p2"><o:p> </o:p></p> <p class="p1"><span class="s1">In order to specify \
any facility in snort, at first you should specify it locally.</span><o:p></o:p></p> \
<p class="p1"><span class="s1">Example: \
https://linux.die.net/man/5/syslog.conf</span><o:p></o:p></p> <p \
class="p2"><o:p> </o:p></p> <p class="p1"><span class="s1">Manual that you used \
previously (http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00361000000000000000 \
https://seclists.org/snort/2018/q3/310) is related only to \
snort2.</span><o:p></o:p></p> <p class="p2"><o:p> </o:p></p>
<p class="p1"><span class="s1">Thanks, Yehor.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Open \
Sans",sans-serif;color:black">Yehor Velykozhon | <a \
href="mailto:yvelyk@softserveinc.com">yvelyk@softserveinc.com</a> | Trainee | | \
</span><span style="font-size:10.0pt;font-family:"Open \
Sans",sans-serif;mso-fareast-language:EN-GB"><a \
href="http://www.softserveinc.com/">SoftServe</a></span><o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <div style="border:none;border-top:solid \
#B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p class="MsoNormal"><b><span \
style="font-size:12.0pt;color:black">From: </span></b><span \
style="font-size:12.0pt;color:black">Snort-users \
<snort-users-bounces@lists.snort.org> on behalf of Paul Mitbach \
<p.mitbach@as-hof.de><br> <b>Date: </b>Thursday, 29 July 2021 at 23:40<br>
<b>To: </b>"snort-users@lists.snort.org" \
<snort-users@lists.snort.org><br> <b>Subject: </b>[Snort-users] OSSIM not \
recieving Snort Alerts</span><span \
style="font-size:12.0pt;color:black;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" \
align="left"> <tbody>
<tr>
<td style="background:#BBA555;padding:5.25pt 5.5pt 5.25pt 1.5pt"></td>
<td width="100%" style="width:100.0%;background:#FFE599;padding:5.25pt 3.75pt 5.25pt \
11.25pt"> <div>
<p style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;ms \
o-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly">
<b><span style="font-family:"Arial",sans-serif;color:#212121">CAUTION:</span></b><span \
style="font-family:"Arial",sans-serif;color:#212121"> This email originated \
from outside the organization. Do not click links or open attachments unless you \
recognize the sender and know the content is safe. </span><o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><span style="color:white">Hi I'm a complete beginner with Snort \
an</span>d I'm currently trying to achieve a setup where snort directly sends the \
alerts to OSSIM.<o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The OSSIM server seems to be configured correctly.<br>
When I'm testing with <o:p></o:p></p>
<p class="MsoNormal">logger -p local1.info "Test" <o:p></o:p></p>
<p class="MsoNormal">I get this on the OSSIM Server.<o:p></o:p></p>
<p class="MsoNormal">Something seems to be wrong with the Snort Configuration. It's \
quite frustrating to be honest since it seems like there is no up to date \
documentation.<o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Here's my config:<o:p></o:p></p>
<p class="MsoNormal">Snort Startup Script:<o:p></o:p></p>
<p class="MsoNormal">[Unit]<o:p></o:p></p>
<p class="MsoNormal">Description=Snort3 NIDS Daemon<o:p></o:p></p>
<p class="MsoNormal">After=syslog.target network.target<o:p></o:p></p>
<p class="MsoNormal">[Service]<o:p></o:p></p>
<p class="MsoNormal">Type=simple<o:p></o:p></p>
<p class="MsoNormal">ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua \
-s 65535 \<o:p></o:p></p> <p class="MsoNormal">-k none -D -u snort -g snort -l \
/var/log/snort -i ens160 -m 0x1b --create-pidfile<o:p></o:p></p> <p \
class="MsoNormal">[Install]<o:p></o:p></p> <p \
class="MsoNormal">WantedBy=multi-user.target<o:p></o:p></p> <p \
class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal">Snort.lua (Config \
Outputs)<o:p></o:p></p> <p class="MsoNormal">246 alert_syslog = {<o:p></o:p></p>
<p class="MsoNormal">247 facility = local1,<o:p></o:p></p>
<p class="MsoNormal">248 level = info<o:p></o:p></p>
<p class="MsoNormal">249 }<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I tried these documentations, but it seems like all of them are \
outdated at some point or there is something missing.<o:p></o:p></p> <p \
class="MsoNormal"><a \
href="https://docplayer.net/186068323-Integrating-snort-x-with-the-alienvault-ossim-4- \
1-siem-on-linux-based-systems.html">https://docplayer.net/186068323-Integrating-snort- \
x-with-the-alienvault-ossim-4-1-siem-on-linux-based-systems.html</a><o:p></o:p></p> \
<p class="MsoNormal"><a \
href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00 \
361000000000000000">http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00361000000000000000</a><o:p></o:p></p>
<p class="MsoNormal"><a \
href="https://seclists.org/snort/2018/q3/310">https://seclists.org/snort/2018/q3/310</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any help/tips would be greatly appreciated!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">Best Regards,</span><o:p></o:p></p> <p \
class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal" \
style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">Paul Mitbach</span><o:p></o:p></p> <p \
class="MsoNormal" style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">AS-Bau Hof GmbH - Stelzenhofstr. 28 - 95032 \
Hof</span><o:p></o:p></p> <p class="MsoNormal" \
style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">+49 9281 860009-50 (Tel.) * \
(mobil)</span><o:p></o:p></p> <p class="MsoNormal" \
style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">p.mitbach@as-hof.de * \
https://www.as-hof.de/</span><o:p></o:p></p> <p class="MsoNormal" \
style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">********************************************************************</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">Gesellschaft mit beschränkter Haftung * Sitz: Hof \
</span><o:p></o:p></p> <p class="MsoNormal" \
style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">Handelsregister Hof * HR B 3421</span><o:p></o:p></p> \
<p class="MsoNormal" style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">Geschäftsführer:</span><o:p></o:p></p> <p \
class="MsoNormal" style="margin-bottom:8.0pt;line-height:105%"><span \
style="mso-fareast-language:DE">Dieter Dick * Dr.-Ing. Thomas Dick * Dipl.-Betriebsw. \
(FH) Susanne Dick </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span \
style="mso-fareast-language:EN-GB">*******************************************************<br>
Informationen zum Datenschutz finden Sie hier:<br>
<a href="https://www.as-bau-hof.de/datenschutz">https://www.as-bau-hof.de/datenschutz</a>
<o:p></o:p></span></p>
</div>
</div>
</body>
</html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
--===============8443827615332034831==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic