Log Snort to sguil(Security Onion)


  • Hello ,

    I am looking into new Barnyard2 Sguil  log feature , i am currently using Pfsense 2.1 with Snort package , and would like to be able to log to Security Onion Sguil
    In the Baryard2 doc is mention  example as follows

    output sguil: agent_port=7000 sensor_name=thor

    My question is , is it possible to log directly into remote Sguil  or in any way to security Onion?

    Please advice
    Thanks


  • I've been researching the same thing and I've come to conclusion that Snort on pfSense would need to include a Squil output plugin of some sort to get the right type of output. What I have done so far is install Snorby on a VM that runs 24/7 on my desktop and I'm using Barnyard2 to send alerts to Snorby's MySQL database.


  • @tbaror:

    Hello ,

    I am looking into new Barnyard2 Sguil  log feature , i am currently using Pfsense 2.1 with Snort package , and would like to be able to log to Security Onion Sguil
    In the Baryard2 doc is mention  example as follows

    output sguil: agent_port=7000 sensor_name=thor

    My question is , is it possible to log directly into remote Sguil  or in any way to security Onion?

    Please advice
    Thanks

    Currently it's not possible for a direct logging connection to any external destination with Snort.  The Snort package on pfSense supports the use of Barnyard2 which in turn can send to a remote MySQL database.  I currently use Barnyard2 writing to Snorby in my personal setup.

    Bill


  • Thanks all for the answers , but Snorby would be a good solution if he had some alerting rules facility
    So i guess i will abandon Security Onion for now and log into OSSIM (Alien Vault) , since we have more than 5 Pfsense's across continent  , we need to be alerted
    on security events.

    If you have any better suggestion for like security center system  I will be glad  to learn about it.

    Thanks

  • Moderator

    For my installation I have pfSense Snort installed on 5 Machines all connected thru VPN and the alerts are going to the pfSense System Logs. I set the Syslog to send all activity to Security Onion where the alerts are managed by ELSA.    https://code.google.com/p/enterprise-log-search-and-archive/

    When pfSense creates an alert. The only thing you know is the Alert, SRCIP, DSTIP, ports etc. There is no payload data to make further review.

    So to get pfSense Snort data into Security Onion, particularly the SGUIL, SNORBY or SQUERT will not give you much data as you will only get the Basic alert details. It is possible but not worth the effort. Unless someone wants to add some code to pfSense Snort and push the Full Packet Capture to the Security Onion system (Would be nice!)

    Please take a look at the attached screenshots where I have 4 pfsense Boxes pushing their syslog data to ELSA. It is a fantastic package to drill down and review what a potential attacker has done in your system. Monitoring only the firewall is only part of the process.

    ELSA has Dashboards and notification capabilities.




  • Moderator

    @tbaror:

    Thanks all for the answers , but Snorby would be a good solution if he had some alerting rules facility

    The Snorby package in Security Onion has alerting functionality.