Fortinet black logo

External Systems Configuration Guide

Snort Intrusion Prevention System

Snort Intrusion Prevention System

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog
JDBC

Generic information: signature ID, signature name, sensor ID, event occur time, signature priority

TCP: packet header, including source IP address, destination IP address, Source Port, Destination Port, TCP Sequence Number, TCP Ack Number, TCP Offset, TCP Reserved, TCP Flags, TCP Window size, TCP Checksum, tTCP Urgent Pointer; and packet payload

UDP: packet header, including source IP address, destination IP address, Source Port, Destination Port, UDP Length, checksum; and packet payload

ICMP: packet header, including source IP address, destination IP address, ICMP Type, ICMP Code, Checksum, ICMP ID, Sequence Number; and packet payload

SNMP (for access to the database server hosting the Snort database)

Event Types

In ADMIN > Device Support > Event, search for "snort_ips" in the Device Type column to see the event types associated with this device.

Configuration

Syslog

Collecting event information from Snort via syslog has two drawbacks:

  1. It is not reliable because it is sent over UDP.
  2. Information content is limited because of UDP packet size limit.

For these reasons, you should consider using JDBC to collect event information from Snort.

These instructions illustrate how to configure Snort on Linux to send syslogs to FortiSIEM. For further information, you should consult the Snort product documentation.

  1. Log in to your Linux server where Snort is installed.
  2. Navigate to and open the file /etc/snort/snort.conf.
  3. Modify alert_syslog to use a local log facility, for example:

     output alert_syslog: LOG_LOCAL4 LOG_ALERT
  4. Navigate to and open the file /etc/syslog.conf.
  5. Add a redirector to send syslogs to FortiSIEM.
    #Snort log to local4
    #local4.*
    /var/log/snort.log
    #local4.*@192.168.20.41
    local4.alert@10.1.2.171
  6. Restart the Snort daemon.
Example Parsed Snort Syslog

<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client Request [Classification: Misc activity] [Priority: 3]: {UDP} 192.168.19.1:6555 -> 172.16.2.5:514
<161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80
<161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 -> 192.168.0.10
<161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 -> 192.168.20.2:161

JDBC

Supported Databases and Snort Database Schemas

When using JDBC to collect IPS information from Snort, FortiSIEM can capture a full packet that is detailed enough to recreate the packet via a PCAP file.

FortiSIEM supports collecting Snort event information over JDBC these database types:

  • Oracle
  • MS SQL
  • MySql
  • PostgreSQL

FortiSIEM supports Snort database schema 107 or higher.

SNMP Access to the Database Server

You must set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with FortiSIEM for several common types of database servers.

Once you have set up SNMP on your database server, you can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Debugging Snort Database Connectivity

Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull.

2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=10.1.20.51:ICMP:Max record id:17848444  Total records in one round of pulling:20

At most 1000 database records (IPS Alerts) are pulled at a time. If FortiSIEM finds more than 1000 new records, then it begins to fall behind and this log is created.

2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=Event count of snort exceeds the threshold in one round of pulling, which means there may be more events need to be pulled.

Examples of Snort IPS Events Pulled over JDBC

UDP Event

<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO,[relayDevIpAddr]=10.1.2.36,[ipsSensorId]=1,[snortEventId]=10343430,[sensorHostname]=10.1.2.36,[signatureId]=1417,[eventName]=SNMP request udp,[eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245,[destIpAddr]=10.1.2.36,[ipVersion]=4,[ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0,[ipFlags]=0,[ipFragOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876,[destIpPort]=161,[udpLen]=55,[checksum]=39621,[dataPayload]=302D02010104067075626C6963A520...
TCP Event

<134>Aug 08 09:30:59 10.1.20.51
java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensorId]=1,[eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort
Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08
09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=52314,[destIpPort]=80,[seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset]=5,[tcpReserved]=0,[tcpFlags]=24,[tcpWin]=16695,[checksum]=57367,[tcpUrgentPointer]=0,[dataPayload]=474554202F66617669636F6E2E69636F204...

Viewing Snort Packet Payloads in Reports

FortiSIEM creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report.

  1. Set up a structured historical search.
  2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.
    AttributeOperatorValue
    Reporting IPINApplications: Network IPS App
  3. For Display Fields, include Data Payload.
    When you run the query, Data Payload will be one one of the display columns.
  4. When the query runs, select an event, and the data payload will display at the bottom of the search results in a byte-by-byte ethereal/wireshark format.

Exporting Snort IPS Packets as a PCAP File

After running a report, click the Export button and choose the PCAP option.

Settings for Access Credentials

Access Credentials for JDBC

Set these Access Method Definition values to allow FortiSIEM to communicate with your Snort IPS over JDBC.

Setting Value
Name <database type>-snort-BT
Device Type Select the type of database that you are connecting to for Snort alerts
Access Protocol JDBC
Used For Snort Audit
Pull Interval (minutes) 1
Port 3306
Database Name The name of the database
User Name The administrative user for the Snort database
Password The password associated with the administrative user
Access Credentials for SNMP, Telnet, SSH

Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP, Telnet, or SSH.

Setting Value
Name <set name>
Device Type Snort-org Snort IPS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Snort Intrusion Prevention System

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog
JDBC

Generic information: signature ID, signature name, sensor ID, event occur time, signature priority

TCP: packet header, including source IP address, destination IP address, Source Port, Destination Port, TCP Sequence Number, TCP Ack Number, TCP Offset, TCP Reserved, TCP Flags, TCP Window size, TCP Checksum, tTCP Urgent Pointer; and packet payload

UDP: packet header, including source IP address, destination IP address, Source Port, Destination Port, UDP Length, checksum; and packet payload

ICMP: packet header, including source IP address, destination IP address, ICMP Type, ICMP Code, Checksum, ICMP ID, Sequence Number; and packet payload

SNMP (for access to the database server hosting the Snort database)

Event Types

In ADMIN > Device Support > Event, search for "snort_ips" in the Device Type column to see the event types associated with this device.

Configuration

Syslog

Collecting event information from Snort via syslog has two drawbacks:

  1. It is not reliable because it is sent over UDP.
  2. Information content is limited because of UDP packet size limit.

For these reasons, you should consider using JDBC to collect event information from Snort.

These instructions illustrate how to configure Snort on Linux to send syslogs to FortiSIEM. For further information, you should consult the Snort product documentation.

  1. Log in to your Linux server where Snort is installed.
  2. Navigate to and open the file /etc/snort/snort.conf.
  3. Modify alert_syslog to use a local log facility, for example:

     output alert_syslog: LOG_LOCAL4 LOG_ALERT
  4. Navigate to and open the file /etc/syslog.conf.
  5. Add a redirector to send syslogs to FortiSIEM.
    #Snort log to local4
    #local4.*
    /var/log/snort.log
    #local4.*@192.168.20.41
    local4.alert@10.1.2.171
  6. Restart the Snort daemon.
Example Parsed Snort Syslog

<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client Request [Classification: Misc activity] [Priority: 3]: {UDP} 192.168.19.1:6555 -> 172.16.2.5:514
<161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80
<161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 -> 192.168.0.10
<161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 -> 192.168.20.2:161

JDBC

Supported Databases and Snort Database Schemas

When using JDBC to collect IPS information from Snort, FortiSIEM can capture a full packet that is detailed enough to recreate the packet via a PCAP file.

FortiSIEM supports collecting Snort event information over JDBC these database types:

  • Oracle
  • MS SQL
  • MySql
  • PostgreSQL

FortiSIEM supports Snort database schema 107 or higher.

SNMP Access to the Database Server

You must set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with FortiSIEM for several common types of database servers.

Once you have set up SNMP on your database server, you can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Debugging Snort Database Connectivity

Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull.

2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=10.1.20.51:ICMP:Max record id:17848444  Total records in one round of pulling:20

At most 1000 database records (IPS Alerts) are pulled at a time. If FortiSIEM finds more than 1000 new records, then it begins to fall behind and this log is created.

2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=Event count of snort exceeds the threshold in one round of pulling, which means there may be more events need to be pulled.

Examples of Snort IPS Events Pulled over JDBC

UDP Event

<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO,[relayDevIpAddr]=10.1.2.36,[ipsSensorId]=1,[snortEventId]=10343430,[sensorHostname]=10.1.2.36,[signatureId]=1417,[eventName]=SNMP request udp,[eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245,[destIpAddr]=10.1.2.36,[ipVersion]=4,[ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0,[ipFlags]=0,[ipFragOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876,[destIpPort]=161,[udpLen]=55,[checksum]=39621,[dataPayload]=302D02010104067075626C6963A520...
TCP Event

<134>Aug 08 09:30:59 10.1.20.51
java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensorId]=1,[eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort
Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08
09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=52314,[destIpPort]=80,[seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset]=5,[tcpReserved]=0,[tcpFlags]=24,[tcpWin]=16695,[checksum]=57367,[tcpUrgentPointer]=0,[dataPayload]=474554202F66617669636F6E2E69636F204...

Viewing Snort Packet Payloads in Reports

FortiSIEM creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report.

  1. Set up a structured historical search.
  2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.
    AttributeOperatorValue
    Reporting IPINApplications: Network IPS App
  3. For Display Fields, include Data Payload.
    When you run the query, Data Payload will be one one of the display columns.
  4. When the query runs, select an event, and the data payload will display at the bottom of the search results in a byte-by-byte ethereal/wireshark format.

Exporting Snort IPS Packets as a PCAP File

After running a report, click the Export button and choose the PCAP option.

Settings for Access Credentials

Access Credentials for JDBC

Set these Access Method Definition values to allow FortiSIEM to communicate with your Snort IPS over JDBC.

Setting Value
Name <database type>-snort-BT
Device Type Select the type of database that you are connecting to for Snort alerts
Access Protocol JDBC
Used For Snort Audit
Pull Interval (minutes) 1
Port 3306
Database Name The name of the database
User Name The administrative user for the Snort database
Password The password associated with the administrative user
Access Credentials for SNMP, Telnet, SSH

Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP, Telnet, or SSH.

Setting Value
Name <set name>
Device Type Snort-org Snort IPS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration