How to send Snort alert logs to Graylog without Barnyard2?



  • This post is deleted!


  • Snort3, once it arrives in production form, offers JSON logging options that will work better than the old Unified2 logging. There are some implementations out there today using an ELK stack to grab Snort logs. You can search around on Google for some examples.

    You are correct that Barnyard2 is really almost dead. I've seen no development work on it in several years, and it has some serious MySQL database interface bugs after the last update it did receive several years back.



  • This post is deleted!


  • The best method i've found around this is to edit the rule attached to the interface.

    Alert Settings
    ✓ "Send Alerts to System Log Snort will send Alerts to the firewall's system log."

    then on the pfsense interface head into :
    Status >System> Logs>Settings

    Remote Logging Options
    ✓ Enable Remote Logging Send log messages to remote syslog server.

    although in my opinion this isn't particularly secure in comparison to TCP with TLS



  • I use filebeat for this (with Suricata JSON logs -- but you could do this with
    the snort alerts.log just as easily).

    My filebeat.yml:

    #------------------------- File prospectors --------------------------------
     filebeat.prospectors:
      - input_type: log
        paths:
        - /var/log/suricata/*/eve.json*
        fields_under_root: true
        fields:
          type: "suricataIDPS"
          tags: ["SuricataIDPS","JSON"]
    #----------------------------- Logstash output --------------------------------
     output.logstash:
      hosts: ["x.x.x.x:5044"]
    #---------------------------- filebeat logging -------------------------------
     logging.to_files: true
     logging.files:
       path: /var/log/filebeat
       name: filebeat.log
       keepfiles: 30
    


  • @boobletins

    Thanks for the code. I adapted it slightly to make it send over TLS. Here is how

    Server (Graylog)

    cd;mkdir beats_certs;cd beats_certs
    

    On Debian or Ubuntu:

    cp /etc/ssl/openssl.cnf custom_openssl.cnf
    

    On CentOS or Red Hat:

    cp /etc/pki/tls/openssl.cnf custom_openssl.cnf
    
    nano custom_openssl.cnf
    

    Find the section [ v3_ca ] and add a line like the one below that includes your Elastic server’s IP address:

    [ v3_ca ]
    

    Add "subjectAltName" underneath like this:

    [ v3_ca ]
    subjectAltName = IP:x.x.x.x
    

    Save the file.
    Generate the certs

    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout beats.key -out beats.crt -config custom_openssl.cnf
    

    In Graylog create a new Beats input (This is TCP - Make sure the FW port is open)

    Get the paths of the crt and the key and put them into a graylog input. TICK THE ENABLE TLS option. Ignore the tls client auth stuff.

    cat beats.crt (This is also the cert you use for the beats client)
    --------------------------------------

    Client (pfsense)

    Install beats

    Get suricata outputting to JSON

    Configure beats

    mkdir /var/log/filebeat;nano /usr/local/etc/filebeat.yml
    
    #------------------------- File prospectors --------------------------------
     filebeat.prospectors:
      - input_type: log
        paths:
        - /var/log/suricata/*/eve.json*
        fields_under_root: true
        fields:
          type: "suricataIDPS"
          tags: ["SuricataIDPS","JSON"]
    #----------------------------- Logstash output --------------------------------
     output.logstash:
      hosts: ["x.x.x.x:xxxx"]
      ssl.certificate_authorities: ["/etc/crt/beats.crt"]
    #---------------------------- filebeat logging -------------------------------
     logging.to_files: true
     logging.files:
       path: /var/log/filebeat
       name: filebeat.log
       keepfiles: 7
    

    For a more expanded explanation head to these Reference links. You will have to chop the bits out that are relevant and tweak slightly.

    https://documentation.wazuh.com/current/installation-guide/optional-configurations/elastic_ssl.html
    https://github.com/opc40772/suricata-graylog



  • Filebeat is the best option... but.. how to install the filebeats in pfsense?
    https://www.elastic.co/downloads/beats/filebeat
    Convert packet .deb/rmp in pkg?
    Use .tar.gz?



  • @rlrobs said in How to send Snort alert logs to Graylog without Barnyard2?:

    Filebeat is the best option... but.. how to install the filebeats in pfsense?
    https://www.elastic.co/downloads/beats/filebeat
    Convert packet .deb/rmp in pkg?
    Use .tar.gz?

    No, it is not likely that things compiled for Linux will work 100% correctly within FreeBSD due to shared library issues.

    It is my understanding that Beats in FreeBSD is a new and better (but still compatible) version of Filebeat. So FreeBSD's Beats is the same as Filebeat (at least that's my understanding).



  • @rlrobs

    curl --output beats-6.4.2.txz http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/beats-6.4.2.txz
    
    pkg install beats-6.4.2.txz
    

    Configure pfSense to start Filebeat at startup

    The installer of the beats package was good enough to create some rc.d init scripts for Filebeat in /usr/local/etc/rc.d

    Because this is pfSense and, therefore, the FreeBSD implementation scripts customized in this directory must have the .sh file extension to run. Copy the filebeat script:

    cp /usr/local/etc/rc.d/filebeat /usr/local/etc/rc.d/filebeat.sh
    

    If you take a look at the script, it indicates that some configurations are configured in /etc/rc.conf

    Again, due to the personalization of pfSense, this file is overwritten at startup and should not be edited. However, the creation of a file /etc/rc.conf.local will take care of us. Set filebeat to boot at startup and specify the configuration file as follows:

    echo "filebeat_enable=yes" >> /etc/rc.conf.local
    echo "filebeat_conf=/usr/local/etc/filebeat.yml" >> /etc/rc.conf.local
    

    This will cause Filebeat to boot at startup. Restart your pfSense firewall and verify with PS:

    ps aux | grep beat
    
    root 64932 0.0 0.1 10368 2040 - Is 19Mar18 0: 00.00 daemon: / usr / local / sbin / filebeat [65093] (daemon)
    root 65093 0.0 0.9 54984 18888 - I 19Mar18 5: 37.31 / usr / local / sbin / filebeat -path.home / var / db / beats / filebeat -path.conf
    root 19915 0.0 0.1 14728 2344 1 S + 21:17 0: 00.00 grep beat
    

    done



  • This post is deleted!


  • @bmeeks said in How to send Snort alert logs to Graylog without Barnyard2?:

    @rlrobs said in How to send Snort alert logs to Graylog without Barnyard2?:

    Filebeat is the best option... but.. how to install the filebeats in pfsense?
    https://www.elastic.co/downloads/beats/filebeat
    Convert packet .deb/rmp in pkg?
    Use .tar.gz?

    No, it is not likely that things compiled for Linux will work 100% correctly within FreeBSD due to shared library issues.

    It is my understanding that Beats in FreeBSD is a new and better (but still compatible) version of Filebeat. So FreeBSD's Beats is the same as Filebeat (at least that's my understanding).

    @bmeeks There is an official beats package for pfsense.

    http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/


Log in to reply