How to send Snort alert logs to Graylog without Barnyard2?

Nov 6, 2018, 1:28 PM

This post is deleted!

bmeeks · Oct 23, 2018, 4:45 PM

Snort3, once it arrives in production form, offers JSON logging options that will work better than the old Unified2 logging. There are some implementations out there today using an ELK stack to grab Snort logs. You can search around on Google for some examples.

You are correct that Barnyard2 is really almost dead. I've seen no development work on it in several years, and it has some serious MySQL database interface bugs after the last update it did receive several years back.

Oct 24, 2018, 9:46 AM

This post is deleted!

PipeTenNathan · Nov 6, 2018, 1:28 PM

The best method i've found around this is to edit the rule attached to the interface.

Alert Settings
✓ "Send Alerts to System Log Snort will send Alerts to the firewall's system log."

then on the pfsense interface head into :
Status >System> Logs>Settings

Remote Logging Options
✓ Enable Remote Logging Send log messages to remote syslog server.

although in my opinion this isn't particularly secure in comparison to TCP with TLS

boobletins · Dec 14, 2018, 2:00 AM

I use filebeat for this (with Suricata JSON logs -- but you could do this with
the snort alerts.log just as easily).

My filebeat.yml:

#------------------------- File prospectors --------------------------------
 filebeat.prospectors:
  - input_type: log
    paths:
    - /var/log/suricata/*/eve.json*
    fields_under_root: true
    fields:
      type: "suricataIDPS"
      tags: ["SuricataIDPS","JSON"]
#----------------------------- Logstash output --------------------------------
 output.logstash:
  hosts: ["x.x.x.x:5044"]
#---------------------------- filebeat logging -------------------------------
 logging.to_files: true
 logging.files:
   path: /var/log/filebeat
   name: filebeat.log
   keepfiles: 30

PipeTenNathan · Mar 1, 2019, 11:14 AM

@boobletins

Thanks for the code. I adapted it slightly to make it send over TLS. Here is how

Server (Graylog)

cd;mkdir beats_certs;cd beats_certs

On Debian or Ubuntu:

cp /etc/ssl/openssl.cnf custom_openssl.cnf

On CentOS or Red Hat:

cp /etc/pki/tls/openssl.cnf custom_openssl.cnf

nano custom_openssl.cnf

Find the section [ v3_ca ] and add a line like the one below that includes your Elastic server’s IP address:

[ v3_ca ]

Add "subjectAltName" underneath like this:

[ v3_ca ]
subjectAltName = IP:x.x.x.x

Save the file.
Generate the certs

openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout beats.key -out beats.crt -config custom_openssl.cnf

In Graylog create a new Beats input (This is TCP - Make sure the FW port is open)

Get the paths of the crt and the key and put them into a graylog input. TICK THE ENABLE TLS option. Ignore the tls client auth stuff.

cat beats.crt (This is also the cert you use for the beats client)
--------------------------------------

Client (pfsense)

Install beats

Get suricata outputting to JSON

Configure beats

mkdir /var/log/filebeat;nano /usr/local/etc/filebeat.yml

#------------------------- File prospectors --------------------------------
 filebeat.prospectors:
  - input_type: log
    paths:
    - /var/log/suricata/*/eve.json*
    fields_under_root: true
    fields:
      type: "suricataIDPS"
      tags: ["SuricataIDPS","JSON"]
#----------------------------- Logstash output --------------------------------
 output.logstash:
  hosts: ["x.x.x.x:xxxx"]
  ssl.certificate_authorities: ["/etc/crt/beats.crt"]
#---------------------------- filebeat logging -------------------------------
 logging.to_files: true
 logging.files:
   path: /var/log/filebeat
   name: filebeat.log
   keepfiles: 7

For a more expanded explanation head to these Reference links. You will have to chop the bits out that are relevant and tweak slightly.

https://documentation.wazuh.com/current/installation-guide/optional-configurations/elastic_ssl.html
https://github.com/opc40772/suricata-graylog

rlrobs · Mar 1, 2019, 1:24 PM

Filebeat is the best option... but.. how to install the filebeats in pfsense?
https://www.elastic.co/downloads/beats/filebeat
Convert packet .deb/rmp in pkg?
Use .tar.gz?

bmeeks · Mar 1, 2019, 2:23 PM

@rlrobs said in How to send Snort alert logs to Graylog without Barnyard2?:

Filebeat is the best option... but.. how to install the filebeats in pfsense?
https://www.elastic.co/downloads/beats/filebeat
Convert packet .deb/rmp in pkg?
Use .tar.gz?

No, it is not likely that things compiled for Linux will work 100% correctly within FreeBSD due to shared library issues.

It is my understanding that Beats in FreeBSD is a new and better (but still compatible) version of Filebeat. So FreeBSD's Beats is the same as Filebeat (at least that's my understanding).

PipeTenNathan · Mar 1, 2019, 3:30 PM

@rlrobs

curl --output beats-6.4.2.txz http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/beats-6.4.2.txz

pkg install beats-6.4.2.txz

Configure pfSense to start Filebeat at startup

The installer of the beats package was good enough to create some rc.d init scripts for Filebeat in /usr/local/etc/rc.d

Because this is pfSense and, therefore, the FreeBSD implementation scripts customized in this directory must have the .sh file extension to run. Copy the filebeat script:

cp /usr/local/etc/rc.d/filebeat /usr/local/etc/rc.d/filebeat.sh

If you take a look at the script, it indicates that some configurations are configured in /etc/rc.conf

Again, due to the personalization of pfSense, this file is overwritten at startup and should not be edited. However, the creation of a file /etc/rc.conf.local will take care of us. Set filebeat to boot at startup and specify the configuration file as follows:

echo "filebeat_enable=yes" >> /etc/rc.conf.local
echo "filebeat_conf=/usr/local/etc/filebeat.yml" >> /etc/rc.conf.local

This will cause Filebeat to boot at startup. Restart your pfSense firewall and verify with PS:

ps aux | grep beat

root 64932 0.0 0.1 10368 2040 - Is 19Mar18 0: 00.00 daemon: / usr / local / sbin / filebeat [65093] (daemon)
root 65093 0.0 0.9 54984 18888 - I 19Mar18 5: 37.31 / usr / local / sbin / filebeat -path.home / var / db / beats / filebeat -path.conf
root 19915 0.0 0.1 14728 2344 1 S + 21:17 0: 00.00 grep beat

done

PipeTenNathan · Mar 1, 2019, 3:38 PM

This post is deleted!

PipeTenNathan · Mar 1, 2019, 3:40 PM

@bmeeks said in How to send Snort alert logs to Graylog without Barnyard2?:

@rlrobs said in How to send Snort alert logs to Graylog without Barnyard2?:

Filebeat is the best option... but.. how to install the filebeats in pfsense?
https://www.elastic.co/downloads/beats/filebeat
Convert packet .deb/rmp in pkg?
Use .tar.gz?

No, it is not likely that things compiled for Linux will work 100% correctly within FreeBSD due to shared library issues.

It is my understanding that Beats in FreeBSD is a new and better (but still compatible) version of Filebeat. So FreeBSD's Beats is the same as Filebeat (at least that's my understanding).

@bmeeks There is an official beats package for pfsense.

http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/