Integrating Snort Alerts with LogRhythm via Barnyard2

Historically, the recommended method for integrating Snort with LogRhythm has been configuring Snort to directly send alerts via Syslog to LogRhythm Log Managers. However, in more complex, high-performance environments that include additional tools such as Snorby or Sguil for analyzing alerts, it’s advisable to use an auxiliary process, Barnyard, to handle output. This will allow Snort to write logs in the much faster unified2 format and thus have more resources available for processing network traffic.

The steps for this integration will be outlined below. These Snort extras can be downloaded and used individually, but the Security Onion Linux distro includes them bundled together for fast deployments. Security Onion also has a very simple and intuitive configuration process, and uses Pulled Pork for simple, automated rule management. The integration described below will be based on a Security Onion installation, but can easily be translated to other environments.

Untitled  11

Integration Walk-through 1. After installing Security Onion, begin the setup process described here. For simple Snort installation, use the Advanced Setup option to only include the desired programs. For example, although both are useful applications, Bro and ELSA would not be needed if you only intend to use the system for Snort analysis. 2. Once the system has been configured and restarted, Snort and the auxiliary programs should be running. Now find the Barnyard configuration file; this can be quickly done by running ‘ps aux | grep barnyard’ from the CLI. The output should include the current running Barnyard process, which should look something like:

`barnyard2 -c /etc/nsm/SENSOR-eth1/barnyard2-1.conf -d /nsm/sensor_data/SENSOR-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SENSOR-eth1/barnyard2.waldo-1 -i 1 -U`

The ‘c’ flag indicates the config file being used, and because Barnyard’s main job is ingesting Snort logs with the ’d’ flag, this file will be used to determine how those logs are handled. At this point, it should be decided if the deployment should forward only Snort logs or the entire system’s. Although having all logs from the system is usually preferable, if Snort is the only interest, it’s much simpler to forward only those events.

Once located, open the barnyard2 config file as root with a text editor (eg, ‘sudo nano /etc/nsm/SENSOR-eth1/barnyard2-1.conf’) and comment out the current #output ‘alert_syslog’ line (eg ‘#output alert_syslog: LOG_LOCAL6 LOG_ALERT’). The complete config file syntax can be seen in the Barnyard2 documentation.

Untitled 12

3. Now add the new output: a. If only Snort logs are desired, append the line:

`output log_syslog_full: sensor_name $your_sensor_name, server $your_log_manager_ip, log_priority log_alert, operation_mode default`

This tells Barnyard to send the alerts via syslog directly. b. If all logs are desired, append the line:

`output log_syslog_full: sensor_name $your_sensor_name, local, log_priority log_alert, operation_mode default`

This will tell Barnyard to send the alerts to the local Syslog along with all other output. Next, the local Syslog needs to be configured to send its output to the Log Manager. Security Onion uses syslog-ng, and the config file is located at ‘/etc/syslog-ng/syslog-ng.conf’. Open this file and find the line’# Send the messages to another host’ under the Destinations’ section. Add the line:

`destination d_net { tcp("$your_log_manager_ip" port(514) log_fifo_size(1000)); };`

using your Log Manager’s address. Near the end of the config file, uncomment the line following ‘# All messages send to a remote site’, which should look like ‘log { source(s_src); destination(d_net); };’. Then restart syslog with the command ‘sudo service syslog-ng restart’. 4. Finally, restart Snort and Barnyard by running ‘sudo rule-update’. The logs should now be flowing to the Log Manager and the SIEM in the default Snort format. If updating an existing Snort log source, no additional configuration should be needed. If adding a new system, set the Log Source Type as ‘Syslog = Snort IDS’. Now the organization will be able to get the benefits of LogRhythm’s Advanced Intelligence Engine with highly-granular analysis through Snorby or other tools.

Untitled 13

Quick outline.

  1. Install and configure operating system, Snort, and relevant Snort aids
  2. Find the Barnyard config file and remove the ‘alert_syslog’ line
  3. Add new syslog output to the Barnyard config file:
    1. For Snort logs only
      1. add ‘output log_syslog_full: sensor_name $your_sensor_name, server $your_log_manager_ip, log_priority log_alert, operation_mode default
    2. For all logs
      1. add ‘output log_syslog_full: sensor_name $your_sensor_name, local, log_priority log_alert, operation_mode default
      2. add ‘destination d_net { tcp("$your_log_manager_ip" port(514) log_fifo_size(1000)); };’ to the syslog-ng config file
      3. uncomment ‘log { source(s_src); destination(d_net); };’ in the syslog-ng config file
      4. restart syslog-ng
  4. Restart Snort and Barnyard