• Support
  • Forums
  • Blogs

how to make SNORT work on OSSIM ?

aminekarimaminekarim

Entry Level
Dear all, 

I have been trying to make existing SNORT (on backtrack) work on OSSIM. Through the iso image, I installed 3 components of OSSIM ( Server, framwork & DB) in the first machine. Then T tried to install ossim-agent in other machine (backtrack)  in the same network, in order to use snort as an existing feature on backtrack. And now, i'm trying tirelessly to force the agent to communicate with the server.
On the client side, I followed the steps listed below to my snort machine : 
- I copied  the  following directories:   
/etc/ossim/agent/   +  /usr/share/ossim-agent  and the file  /usr/bin/ossim-agent    
- In the file /etc/ossim/agent/config.cfg   i add 
[snort_syslog-cfg]
host=127.0.0.1
pass=temporal
port=9390
user=root
*************************
[snortunified_eth0-cfg]
host=127.0.0.1
pass=temporal
port=9390
user=test

I activated only Snort/ossim-agent plugins:
 
[plugins]
ossim-agent=/etc/ossim/agent/plugins/ossim-agent.cfg
ossim-monitor=/etc/ossim/agent/plugins/ossim-monitor.cfg
snort_syslog=/etc/ossim/agent/plugins/snort_syslog.cfg
snortunified_eth0=/etc/ossim/agent/plugins/snortunified_eth0.cfg
when i check on  ??? 
snort_syslog=/etc/ossim/agent/plugins/snort_syslog.cfg               location:  /var/log/%(process)s/alert       ??? 
snortunified_eth0=/etc/ossim/agent/plugins/snortunified_eth0.cfg         directory :  /var/log/snort     ??? 
On the serverside: I activated Snort sensor in ossim-setup, finally when i execute the following command: 
# ossim-agent -f -d -c -v /etc/ossim/agent/config.cfg      or even    ossim-agent  -d 
I get the following message : 
usr/share/ossim-agent/ossim_agent/ParserUtil.py:35: DeprecationWarning: the md5 module is deprecated; use hashlib instead 
  import md5
Traceback (most recent call last):
  File "/usr/bin/ossim-agent", line 7, in <module>
    from ossim_agent.Agent import Agent
  File "/usr/share/ossim-agent/ossim_agent/Agent.py", line 46, in <module>
    from ParserLog import ParserLog
  File "/usr/share/ossim-agent/ossim_agent/ParserLog.py", line 37, in <module>
    import pyinotify #deb package python-pyinotify
ImportError: No module named pyinotify
 
Is the followed steps are the righ ones?II there any missed configuration?How can I make this agent work?Please advise me with any indication that might be helpfull. Thank you

Share post:

Comments

  • This!!! (*)

    Doing this now.
  • Can you add more than one location line? or is the location line able to be comma-delimited?
  • For those who are lost, or struggle with RegExp's like I did when working this out, I have figured out the regex to get OSSIM to alert on Snort_syslog output from Snort installed on pfSense with Barnyard2 logging facilities.

    regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w\-\_]+|\d+.\d+.\d+.\d+)\s+.(\d+):\s+(\d+):\d+.*{(\w+).*}\s+([\d\.]+):(\d+).*\s+([\d+\.]+):?(\d+)?

    just insert that into /etc/ossim/agent/plugins/snort_syslog.cfg under the 04_snort-syslog-format section, remembering to comment out the existing regexp.

    If you already have followed the directions to get your snort sensor forwarding logs vis syslog, you're done.

    If not, here's a super brief highlight of what you need to do:

    Forward your logs using barnyard LOCAL1_INFO and LOCALALERT settings.

    I found out that if you use those settings, you don't have to mess with rsyslog locally.
    However, if you want to, insert these lines into rsyslog.conf before any other rules:

    if $fromhost-ip == 'x.x.x.x' then /var/log/snort/snort.alert.atl-fw1
    & ~

    --don't forget to restart rsyslog.d --

    back up your configuration files and run ossim-reconfig.

    You should now have the alerts from your remote snort sensor.

    **note: I have not figured out yet how to get OSSIM to report that it got the data from another device other than itself. when you look in the SIEM, ossim still says it is the sensor.**
  • ´@IanHayes I did exactly what u said in u comment but still receiving nothing on ossim 
  • JonTheGuy , hours upon hours searching to find out why it wasn't working...  Your regex saved my butt!  Thanks!!!
Sign In or Register to comment.