Menu
▾
▴
Re: [Os-sim-support] Snort Unified
|
From: Brian L. <br...@br...> - 2008-05-14 09:50:08
|
Jon, I am going to have to do the snort from scratch. I have finals at the moment (grad school), so I won't be going into work too much, but I am inspired by your post to roll this from scratch. Have you looked at the O'Reilly "Network Security Hacks" book? It has a Barnyard setup and more. Its hacks have claried a number of security questions I have had. For snort, I have only currently relied upon the Ossim install CD. I know it doesn't have the ring buffer, so I am going to have to figure this out. I know at my work, we have the Nortel implementation of Sourcefire. I need to figure out if it can give a feed. brian On Tue, May 13, 2008 at 06:41:59PM +0200, Jon Uriona wrote: > Hi again, > > The snort issue is about a strange functioning of our compilation. We > have a new snort that creates a correct snort.log files... > > Then I still have the rest of my questions... ossim-agent is not parsing > snort's log at all. There are alerts generated but no event inserted in > ossim server. > > Any ideas?? > > Regards > > Jon > > Jon Uriona escribió: > > Hi all, > > > > We have snort (with pf_ring) logging in unified format, analizyng a link > > at about 50 Mbps. The output line is: > > > > "output unified: filename snort, limit 128" > > > > At this rate, a file (128 MB) is generated every minute or two. My first > > question is... Is this normal? There has been a snort config depuration > > and the alert rate is not very high, so even if the whole packets > > (generating alerts) are logged, it is a very big amount!! The error > > should be here... What's your opinion about this?? > > > > We have an instance of ossim-agent with snortunified plugin, here the > > config: > > > > "[config] > > type=detector > > enable=yes > > source=snortlog > > process=snort > > start=no; launch plugin process when agent starts > > stop=no; shutdown plugin process when agent stops > > startup=/etc/init.d/%(process)s start > > shutdown=/etc/init.d/%(process)s stop > > directory=/var/log/snort/ > > prefix=snort > > linklayer=ethernet > > " > > > > But there is no snort event logged into the server. How can I assure > > that ossim-agent is reading the unified files? lsof does not say > > anything (no open files). Is it going to be fast enough to read that > > amount of data?? > > How can the agent's unified parser be aware of the rotation of this > > files (snort logs)? I need to rotate them periodically (disk space is > > not infinite...) and I need to know how much of the agents work is done!! > > > > Please help!! Regards, > > > > Jon > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Os-sim-support mailing list > > Os-...@li... > > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support -- Brian Lavender http://www.brie.com/brian/ |
