Snort - barnyard2 - remote syslog - Emerging Threats: missing alert description



  • Hi,

    Currently I have setup snort 3.2.9.6, with barnyard2 remote logging to ingest the logs in an ELK-stack. This all works fine for the Snort ruleset. I recently enabled the ET ruleset as well (free version). When an alert is triggered by the ET-rules, the alert description seems not to be forwarded by barnyard2.

    Example of a syslog message transferring a Snort alert:

    | [SNORTIDS[LOG]: [snort.WAN] ] || 2018-01-28 15:29:04.619+001 2 [122:5:1] portscan: TCP Filtered Portscan || attempted-recon || <src ip="" removed=""><dest ip="" removed="">4 20 48 163 0 2 0 36838 0 || <hex packet="" data="" removed="">|| 
     |</hex></dest></src> 
    

    Example of a syslog message transferring an ET alert:

    | [SNORTIDS[LOG]: [snort.WAN] ] || 2018-01-28 16:04:57.624+001 2 [1:2011716:4] Snort Alert [1:2011716:4] || attempted-recon || 17 <src ip="" removed=""><dest ip="" removed="">4 20 0 439 14179 2 0 59027 0 || 5206 5060 419 41921 || <hex packet="" data="" removed="">|| 
     |</hex></dest></src> 
    

    As you can see, the snort alert sid/gid is repeated as 'description', but in my PFsense alert tab it mentions things like 'ET SCAN Sipvicious Scan' or 'ET SCAN Sipvicious User-Agent Detected (friendly-scanner)'.
    How can I get these descriptions to be sent with the barnyard2 remote syslog?



  • Removed and reinstalled snort, issue is resolved. Perhaps a simple restart would have done the trick as well.