Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Log Snort to sguil(Security Onion)

    pfSense Packages
    4
    6
    4930
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tbaror last edited by

      Hello ,

      I am looking into new Barnyard2 Sguil  log feature , i am currently using Pfsense 2.1 with Snort package , and would like to be able to log to Security Onion Sguil
      In the Baryard2 doc is mention  example as follows

      output sguil: agent_port=7000 sensor_name=thor

      My question is , is it possible to log directly into remote Sguil  or in any way to security Onion?

      Please advice
      Thanks

      1 Reply Last reply Reply Quote 0
      • F
        fragged last edited by

        I've been researching the same thing and I've come to conclusion that Snort on pfSense would need to include a Squil output plugin of some sort to get the right type of output. What I have done so far is install Snorby on a VM that runs 24/7 on my desktop and I'm using Barnyard2 to send alerts to Snorby's MySQL database.

        1 Reply Last reply Reply Quote 0
        • bmeeks
          bmeeks last edited by

          @tbaror:

          Hello ,

          I am looking into new Barnyard2 Sguil  log feature , i am currently using Pfsense 2.1 with Snort package , and would like to be able to log to Security Onion Sguil
          In the Baryard2 doc is mention  example as follows

          output sguil: agent_port=7000 sensor_name=thor

          My question is , is it possible to log directly into remote Sguil  or in any way to security Onion?

          Please advice
          Thanks

          Currently it's not possible for a direct logging connection to any external destination with Snort.  The Snort package on pfSense supports the use of Barnyard2 which in turn can send to a remote MySQL database.  I currently use Barnyard2 writing to Snorby in my personal setup.

          Bill

          1 Reply Last reply Reply Quote 0
          • T
            tbaror last edited by

            Thanks all for the answers , but Snorby would be a good solution if he had some alerting rules facility
            So i guess i will abandon Security Onion for now and log into OSSIM (Alien Vault) , since we have more than 5 Pfsense's across continent  , we need to be alerted
            on security events.

            If you have any better suggestion for like security center system  I will be glad  to learn about it.

            Thanks

            1 Reply Last reply Reply Quote 0
            • BBcan177
              BBcan177 Moderator last edited by

              For my installation I have pfSense Snort installed on 5 Machines all connected thru VPN and the alerts are going to the pfSense System Logs. I set the Syslog to send all activity to Security Onion where the alerts are managed by ELSA.    https://code.google.com/p/enterprise-log-search-and-archive/

              When pfSense creates an alert. The only thing you know is the Alert, SRCIP, DSTIP, ports etc. There is no payload data to make further review.

              So to get pfSense Snort data into Security Onion, particularly the SGUIL, SNORBY or SQUERT will not give you much data as you will only get the Basic alert details. It is possible but not worth the effort. Unless someone wants to add some code to pfSense Snort and push the Full Packet Capture to the Security Onion system (Would be nice!)

              Please take a look at the attached screenshots where I have 4 pfsense Boxes pushing their syslog data to ELSA. It is a fantastic package to drill down and review what a potential attacker has done in your system. Monitoring only the firewall is only part of the process.

              ELSA has Dashboards and notification capabilities.




              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • BBcan177
                BBcan177 Moderator last edited by

                @tbaror:

                Thanks all for the answers , but Snorby would be a good solution if he had some alerting rules facility

                The Snorby package in Security Onion has alerting functionality.

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post