Snort alerts to SEIM
-
We are looking to trial some SEIM solutions to allow us to view the firewall and Snort feeds from multipel PFSense devices.
After a bit of fiddling, we've got the firewall data feeding into Rapid7 insightIDR but we can't get the Snort data visible.
Can anyone provide a bit of guidance for setting this up or direct me to a good source of info?
We're currently using SG-8860's running the latest 2.4.4 release
-
The manual for setting this up is at the link below
https://insightidr.help.rapid7.com/docs/snortIt advised set the barnyard2 for local only
output log_syslog_full: sensor_name $sensor-name, local
Then modifying the syslong-ng.conf by adding
destination d_net { tcp("$your_collector_ip" port(¢event_source-port) log_fifo_size(1000)); };
above the line
log { source(s_syslog); destination(d_net); };When ever we change syslong-ng.conf, save it and restart the service, it resets the file back to the previous config. Also if we try edit it within the web interface it states that you cant alter default settings and need to change on the general tab.
-
Update on this...
We have snort running on a pair of Netgate XG-1541's and they are using barnyard2 to dump data into our SEIM.
The SG-3100's are currently 50/50 as to passing data. One works and another with exactly the same settings fails! Logs below in reverse order!Nov 1 16:16:26 kernel pid 83187 (barnyard2), uid 0: exited on signal 10 (core dumped) Nov 1 16:16:24 barnyard2 83187 Opened spool file '/var/log/snort/snort_mvneta116855/snort_16855_mvneta1.u2.1540984209' Nov 1 16:16:24 barnyard2 83187 Using waldo file '/var/log/snort/snort_mvneta116855/barnyard2/16855_mvneta1.waldo': spool directory = /var/log/snort/snort_mvneta116855 spool filebase = snort_16855_mvneta1.u2 time_stamp = 1540984209 record_idx = 1 Nov 1 16:16:24 barnyard2 83187 Barnyard2 initialization completed successfully (pid=83187) Nov 1 16:16:24 barnyard2 83187 --== Initialization Complete ==-- Nov 1 16:16:24 barnyard2 83187 Writing PID "83187" to file "/var/run/barnyard2_mvneta116855.pid" Nov 1 16:16:24 barnyard2 83187 PID path stat checked out ok, PID path set to /var/run Nov 1 16:16:24 barnyard2 83187 Daemon initialized, signaled parent pid: 82930 Nov 1 16:16:24 barnyard2 82930 Daemon parent exiting Nov 1 16:16:24 barnyard2 82930 Initializing daemon mode Nov 1 16:16:24 barnyard2 82930 Reporting Protocol: udp Nov 1 16:16:24 barnyard2 82930 Syslog Server: ***.***.***.***:**** Nov 1 16:16:24 barnyard2 82930 Detail Level: Fast Nov 1 16:16:24 barnyard2 82930 spo_syslog_full config: Nov 1 16:16:24 barnyard2 82930 [OpSyslog_Init()]: OUTPUT_TYPE__LOG was selected but operation_mode is set to "default", using defaut logging hook Nov 1 16:16:24 barnyard2 82930 using operation_mode: default Nov 1 16:16:24 barnyard2 82930 Log directory = /var/log/snort/snort_mvneta116855 Nov 1 16:16:24 barnyard2 82930 Barnyard2 spooler: Event cache size set to [8192] Nov 1 16:16:24 barnyard2 82930 ---------------------------- +[ Signature Suppress list ]+ Nov 1 16:16:24 barnyard2 82930 +[No entry in Signature Suppress List]+ Nov 1 16:16:24 barnyard2 82930 +[ Signature Suppress list ]+ ---------------------------- Nov 1 16:16:24 barnyard2 82930 Found pid path directive (/var/run) Nov 1 16:16:24 barnyard2 82930 Parsing config file "/usr/local/etc/snort/snort_16855_mvneta1/barnyard2.conf" Nov 1 16:16:24 barnyard2 82930 Initializing Output Plugins! Nov 1 16:16:24 barnyard2 82930 Initializing Input Plugins! Nov 1 16:16:24 barnyard2 82930 --== Initializing Barnyard2 ==-- Nov 1 16:16:24 barnyard2 82930 Running in Continuous mode Nov 1 16:16:24 barnyard2 82930 Found pid path directive (/var/run) Nov 1 16:16:24 kernel mvneta1: promiscuous mode enabled Nov 1 16:16:24 php /tmp/snort_mvneta116855_startcmd.php: [Snort] Barnyard2 START for LAN(mvneta1)... Nov 1 16:16:23 php /tmp/snort_mvneta116855_startcmd.php: [Snort] Snort START for LAN(mvneta1)... Nov 1 16:16:23 php /tmp/snort_mvneta116855_startcmd.php: [Snort] Building new sid-msg.map file for LAN... Nov 1 16:16:23 php /tmp/snort_mvneta116855_startcmd.php: [Snort] Warning - no text rules or IPS-Policy selected for: LAN ... Nov 1 16:16:23 php /tmp/snort_mvneta116855_startcmd.php: [Snort] Updating rules configuration for: LAN ... Nov 1 16:16:22 kernel mvneta1: promiscuous mode disabled
-
Signal 10 is a BUS ERROR. The SG-3100 appliance uses an armv6 CPU instead of an Intel amd64 style chip. The FreeBSD cross-compiler for armv6 hardware can produce some illegal instruction sequences in certain cases when compiler optimizations are enabled (and "enabled" is the default for the optimizations setting in the compiler make file). What happens is the resulting "optimized" instruction sequences attempt to access memory on non-aligned boundaries. This generates the Signal 10 error and terminates the process.
The Signal 10 error is not thrown until a precise section of code containing the illegal instruction sequence is encountered. What is likely happening with your two appliances is they are processing slightly different log data and so one hits the invalid instruction sequence based on the data it is processing while the other does not.
The fix for this will require altering the Barnyard2 makefile configuration settings to turn off compiler optimizations when the executable is being compiled for armv6 hardware. This same issue exists within the Snort executable for the SG-3100, and it was fixed by turning off compiler optimizations when compiling for armv6 hardware.
-
@bmeeks said in Snort alerts to SEIM:
The fix for this will require altering the Barnyard2 makefile configuration settings to turn off compiler optimizations when the executable is being compiled for armv6 hardware
Ah, ok that makes sense. Do you know of any instructions online for doing this. I'm ok round the linux command line but not that ok with with sort of change!
-
@siil-it said in Snort alerts to SEIM:
When ever we change syslong-ng.conf, save it and restart the service, it resets the file back to the previous config. Also if we try edit it within the web interface it states that you cant alter default settings and need to change on the general tab.
The configuration file resets because almost every service and package on pfSense rewrites its configuration file when the service is stopped/started from within the GUI. So any changes you make to the file on disk are immediately overwritten the next time the service is restarted by the GUI code.
Making manual edits to configuration files for services and packages is almost always futile as the changes will get overwritten on the next service restart.
-
@siil-it said in Snort alerts to SEIM:
Ah, ok that makes sense. Do you know of any instructions online for doing this. I'm ok round the linux command line but not that ok with with sort of change!
You will need to create a FreeBSD 11.2 host machine (like a VM) and compile the Barnyard2 package using a customized configuration to turn off compiler optimizations. You will also need to set up the VM to have a cross-platform compiler environment. Instructions can be found on the web.
Once you get the compilation working, you can use pkg on FreeBSD to create a package archive that you can then copy over and install on the SG-3100 appliance.
-
Many thanks for your help. Am hoping the snort 3 will move away from barnyard onto something else that's being maintained!