Snort alerts to SEIM

siil-it

We are looking to trial some SEIM solutions to allow us to view the firewall and Snort feeds from multipel PFSense devices.

After a bit of fiddling, we've got the firewall data feeding into Rapid7 insightIDR but we can't get the Snort data visible.

Can anyone provide a bit of guidance for setting this up or direct me to a good source of info?

We're currently using SG-8860's running the latest 2.4.4 release

siil-it

The manual for setting this up is at the link below
https://insightidr.help.rapid7.com/docs/snort

It advised set the barnyard2 for local only
output log_syslog_full: sensor_name $sensor-name, local
Then modifying the syslong-ng.conf by adding
destination d_net { tcp("$your_collector_ip" port(¢event_source-port) log_fifo_size(1000)); };
above the line
log { source(s_syslog); destination(d_net); };

When ever we change syslong-ng.conf, save it and restart the service, it resets the file back to the previous config. Also if we try edit it within the web interface it states that you cant alter default settings and need to change on the general tab.

siil-it

Update on this...
We have snort running on a pair of Netgate XG-1541's and they are using barnyard2 to dump data into our SEIM.
The SG-3100's are currently 50/50 as to passing data. One works and another with exactly the same settings fails! Logs below in reverse order!

Nov 1 16:16:26	kernel		pid 83187 (barnyard2), uid 0: exited on signal 10 (core dumped)
Nov 1 16:16:24	barnyard2	83187	Opened spool file '/var/log/snort/snort_mvneta116855/snort_16855_mvneta1.u2.1540984209'
Nov 1 16:16:24	barnyard2	83187	Using waldo file '/var/log/snort/snort_mvneta116855/barnyard2/16855_mvneta1.waldo': spool directory = /var/log/snort/snort_mvneta116855 spool filebase = snort_16855_mvneta1.u2 time_stamp = 1540984209 record_idx = 1
Nov 1 16:16:24	barnyard2	83187	Barnyard2 initialization completed successfully (pid=83187)
Nov 1 16:16:24	barnyard2	83187	--== Initialization Complete ==--
Nov 1 16:16:24	barnyard2	83187	Writing PID "83187" to file "/var/run/barnyard2_mvneta116855.pid"
Nov 1 16:16:24	barnyard2	83187	PID path stat checked out ok, PID path set to /var/run
Nov 1 16:16:24	barnyard2	83187	Daemon initialized, signaled parent pid: 82930
Nov 1 16:16:24	barnyard2	82930	Daemon parent exiting
Nov 1 16:16:24	barnyard2	82930	Initializing daemon mode
Nov 1 16:16:24	barnyard2	82930	Reporting Protocol: udp
Nov 1 16:16:24	barnyard2	82930	Syslog Server: ***.***.***.***:****
Nov 1 16:16:24	barnyard2	82930	Detail Level: Fast
Nov 1 16:16:24	barnyard2	82930	spo_syslog_full config:
Nov 1 16:16:24	barnyard2	82930	[OpSyslog_Init()]: OUTPUT_TYPE__LOG was selected but operation_mode is set to "default", using defaut logging hook
Nov 1 16:16:24	barnyard2	82930	using operation_mode: default
Nov 1 16:16:24	barnyard2	82930	Log directory = /var/log/snort/snort_mvneta116855
Nov 1 16:16:24	barnyard2	82930	Barnyard2 spooler: Event cache size set to [8192]
Nov 1 16:16:24	barnyard2	82930	---------------------------- +[ Signature Suppress list ]+
Nov 1 16:16:24	barnyard2	82930	+[No entry in Signature Suppress List]+
Nov 1 16:16:24	barnyard2	82930	+[ Signature Suppress list ]+ ----------------------------
Nov 1 16:16:24	barnyard2	82930	Found pid path directive (/var/run)
Nov 1 16:16:24	barnyard2	82930	Parsing config file "/usr/local/etc/snort/snort_16855_mvneta1/barnyard2.conf"
Nov 1 16:16:24	barnyard2	82930	Initializing Output Plugins!
Nov 1 16:16:24	barnyard2	82930	Initializing Input Plugins!
Nov 1 16:16:24	barnyard2	82930	--== Initializing Barnyard2 ==--
Nov 1 16:16:24	barnyard2	82930	Running in Continuous mode
Nov 1 16:16:24	barnyard2	82930	Found pid path directive (/var/run)
Nov 1 16:16:24	kernel		mvneta1: promiscuous mode enabled
Nov 1 16:16:24	php		/tmp/snort_mvneta116855_startcmd.php: [Snort] Barnyard2 START for LAN(mvneta1)...
Nov 1 16:16:23	php		/tmp/snort_mvneta116855_startcmd.php: [Snort] Snort START for LAN(mvneta1)...
Nov 1 16:16:23	php		/tmp/snort_mvneta116855_startcmd.php: [Snort] Building new sid-msg.map file for LAN...
Nov 1 16:16:23	php		/tmp/snort_mvneta116855_startcmd.php: [Snort] Warning - no text rules or IPS-Policy selected for: LAN ...
Nov 1 16:16:23	php		/tmp/snort_mvneta116855_startcmd.php: [Snort] Updating rules configuration for: LAN ...
Nov 1 16:16:22	kernel		mvneta1: promiscuous mode disabled

bmeeks

Signal 10 is a BUS ERROR. The SG-3100 appliance uses an armv6 CPU instead of an Intel amd64 style chip. The FreeBSD cross-compiler for armv6 hardware can produce some illegal instruction sequences in certain cases when compiler optimizations are enabled (and "enabled" is the default for the optimizations setting in the compiler make file). What happens is the resulting "optimized" instruction sequences attempt to access memory on non-aligned boundaries. This generates the Signal 10 error and terminates the process.

The Signal 10 error is not thrown until a precise section of code containing the illegal instruction sequence is encountered. What is likely happening with your two appliances is they are processing slightly different log data and so one hits the invalid instruction sequence based on the data it is processing while the other does not.

The fix for this will require altering the Barnyard2 makefile configuration settings to turn off compiler optimizations when the executable is being compiled for armv6 hardware. This same issue exists within the Snort executable for the SG-3100, and it was fixed by turning off compiler optimizations when compiling for armv6 hardware.

siil-it

@bmeeks said in Snort alerts to SEIM:

The fix for this will require altering the Barnyard2 makefile configuration settings to turn off compiler optimizations when the executable is being compiled for armv6 hardware

Ah, ok that makes sense. Do you know of any instructions online for doing this. I'm ok round the linux command line but not that ok with with sort of change!

bmeeks

@siil-it said in Snort alerts to SEIM:

When ever we change syslong-ng.conf, save it and restart the service, it resets the file back to the previous config. Also if we try edit it within the web interface it states that you cant alter default settings and need to change on the general tab.

The configuration file resets because almost every service and package on pfSense rewrites its configuration file when the service is stopped/started from within the GUI. So any changes you make to the file on disk are immediately overwritten the next time the service is restarted by the GUI code.

Making manual edits to configuration files for services and packages is almost always futile as the changes will get overwritten on the next service restart.

bmeeks

@siil-it said in Snort alerts to SEIM:

Ah, ok that makes sense. Do you know of any instructions online for doing this. I'm ok round the linux command line but not that ok with with sort of change!

You will need to create a FreeBSD 11.2 host machine (like a VM) and compile the Barnyard2 package using a customized configuration to turn off compiler optimizations. You will also need to set up the VM to have a cross-platform compiler environment. Instructions can be found on the web.

Once you get the compilation working, you can use pkg on FreeBSD to create a package archive that you can then copy over and install on the SG-3100 appliance.

siil-it

Many thanks for your help. Am hoping the snort 3 will move away from barnyard onto something else that's being maintained!