Configuring Open Source SNORT

To configure syslog on an Open Source SNORT device:

About this task

The following procedure applies to a system that runs Red Hat Enterprise. The following procedures can vary for other operating systems.

Procedure

  1. Configure SNORT on a remote system.
  2. Open the snort.conf file.
  3. Uncomment the following line:

    output alert_syslog:LOG_AUTH LOG_INFO

  4. Save and exit the file.
  5. Open the following file:

    /etc/init.d/snortd

  6. Add a -s to the following lines, as shown in the example:
    daemon /usr/sbin/snort $ALERTMODE 
    $BINARY_LOG $NO PACKET_LOG $DUMP_APP -D 
    $PRINT_INTERFACE -i $i -s -u $USER -g 
    $GROUP $CONF -i $LOGIR/$i $PASS_FIRST
    daemon /usr/sbin/snort $ALERTMODE 
    $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D 
    $PRINT_INTERFACE $INTERFACE -s -u $USER -g 
    $GROUP $CONF -i $LOGDIR
  7. Save and exit the file.
  8. Restart SNORT by typing the following command:

    /etc/init.d/snortd restart

  9. Open the syslog.conf file.
  10. Update the file to reflect the following code:

    auth.info@<IP Address>

    Where <IP Address> is the system to which you want logs sent.

  11. Save and exit the file.
  12. Restart syslog:

    /etc/init.d/syslog restart

What to do next

You can now configure the log source in QRadar.