Snort Intrusion Prevention System
- What is Discovered and Monitored
- Event Types
- Configuration
- JDBC
- SNMP Access to the Database Server
- Debugging Snort Database Connectivity
- Examples of Snort IPS Events Pulled over JDBC
- Viewing Snort Packet Payloads in Reports
- Exporting Snort IPS Packets as a PCAP File
- Settings for Access Credentials
What is Discovered and Monitored
Protocol | Information Discovered | Metrics Collected | Used For |
---|---|---|---|
Syslog | |||
JDBC |
Generic information: signature ID, signature name, sensor ID, event occur time, signature priority TCP: packet header, including source IP address, destination IP address, Source Port, Destination Port, TCP Sequence Number, TCP Ack Number, TCP Offset, TCP Reserved, TCP Flags, TCP Window size, TCP Checksum, tTCP Urgent Pointer; and packet payload UDP: packet header, including source IP address, destination IP address, Source Port, Destination Port, UDP Length, checksum; and packet payload ICMP: packet header, including source IP address, destination IP address, ICMP Type, ICMP Code, Checksum, ICMP ID, Sequence Number; and packet payload |
||
SNMP (for access to the database server hosting the Snort database) |
Event Types
In ADMIN > Device Support > Event Types, search for "snort-org" to see the event types associated with this device.
Configuration
Syslog
Collecting event information from Snort via syslog has two drawbacks:
- It is not reliable because it is sent over UDP.
- Information content is limited because of UDP packet size limit.
For these reasons, you should consider using JDBC to collect event information from Snort.
These instructions illustrate how to configure Snort on Linux to send syslog to FortiSIEM. For further information, you should consult the Snort product documentation.
- Log in to your Linux server where Snort is installed.
- Navigate to and open the file
/etc/snort/snort.conf
. -
Modify
alert_syslog
to use a local log facility, for example:output alert_syslog: LOG_LOCAL4 LOG_ALERT
- Navigate to and open the file
/etc/syslog.conf
. - Add a redirector to send syslog to FortiSIEM.
#Snort log to local4 #local4.*
/var/log/snort.log #local4.*@192.168.20.41 local4.alert@10.1.2.171
- Restart the Snort daemon.
Example Parsed Snort Syslog
<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client Request [Classification: Misc activity] [Priority: 3]: {UDP} 192.168.19.1:6555 -> 172.16.2.5:514 <161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80 <161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 -> 192.168.0.10 <161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 -> 192.168.20.2:161
JDBC
Supported Databases and Snort Database Schemas
When using JDBC to collect IPS information from Snort, FortiSIEM can capture a full packet that is detailed enough to recreate the packet via a PCAP file.
FortiSIEM supports collecting Snort event information over JDBC these database types:
- Oracle
- MS SQL
- MySql
- PostgreSQL
FortiSIEM supports Snort database schema 107 or higher.
SNMP Access to the Database Server
You must set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with FortiSIEM for several common types of database servers.
Once you have set up SNMP on your database server, you can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Debugging Snort Database Connectivity
Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull.
2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=10.1.20.51:ICMP:Max record id:17848444 Total records in one round of pulling:20
At most 1000 database records (IPS Alerts) are pulled at a time. If FortiSIEM finds more than 1000 new records, then it begins to fall behind and this log is created.
2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=Event count of snort exceeds the threshold in one round of pulling, which means there may be more events need to be pulled.
Examples of Snort IPS Events Pulled over JDBC
UDP Event
<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO,[relayDevIpAddr]=10.1.2.36,[ipsSensorId]=1,[snortEventId]=10343430,[sensorHostname]=10.1.2.36,[signatureId]=1417,[eventName]=SNMP request udp,[eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245,[destIpAddr]=10.1.2.36,[ipVersion]=4,[ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0,[ipFlags]=0,[ipFragOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876,[destIpPort]=161,[udpLen]=55,[checksum]=39621,[dataPayload]=302D02010104067075626C6963A520...
TCP Event
<134>Aug 08 09:30:59 10.1.20.51 java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensorId]=1,[eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08 09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=52314,[destIpPort]=80,[seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset]=5,[tcpReserved]=0,[tcpFlags]=24,[tcpWin]=16695,[checksum]=57367,[tcpUrgentPointer]=0,[dataPayload]=474554202F66617669636F6E2E69636F204...
Viewing Snort Packet Payloads in Reports
FortiSIEM creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report.
- Set up a structured historical search.
- Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.
Attribute Operator Value Reporting IP IN Applications: Network IPS App - For Display Fields, include Data Payload.
When you run the query, Data Payload will be one one of the display columns. - When the query runs, select an event, and the data payload will display at the bottom of the search results in a byte-by-byte ethereal/wireshark format.
Exporting Snort IPS Packets as a PCAP File
After running a report, click the Export button and choose the PCAP option.
Settings for Access Credentials
Access Credentials for JDBC
Set these Access Method Definition values to allow FortiSIEM to communicate with your Snort IPS over JDBC.
Setting | Value |
---|---|
Name | <database type>-snort-BT |
Device Type | Select the type of database that you are connecting to for Snort alerts |
Access Protocol | JDBC |
Used For | Snort Audit |
Pull Interval (minutes) | 1 |
Port | 3306 |
Database Name | The name of the database |
User Name | The administrative user for the Snort database |
Password | The password associated with the administrative user |
Access Credentials for SNMP, Telnet, SSH
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP, Telnet, or SSH.
Setting | Value |
---|---|
Name | <set name> |
Device Type | Snort-org Snort IPS |
Access Protocol | See Access Credentials |
Port | See Access Credentials |
Password config | See Password Configuration |