Netgate SG-1000 microFirewall

Author Topic: Snort - barnyard2 - remote syslog - Emerging Threats: missing alert description  (Read 125 times)

0 Members and 1 Guest are viewing this topic.

Offline MichaelB

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +1/-0
    • View Profile
Hi,

Currently I have setup snort 3.2.9.6, with barnyard2 remote logging to ingest the logs in an ELK-stack. This all works fine for the Snort ruleset. I recently enabled the ET ruleset as well (free version). When an alert is triggered by the ET-rules, the alert description seems not to be forwarded by barnyard2.

Example of a syslog message transferring a Snort alert:
| [SNORTIDS[LOG]: [snort.WAN] ] || 2018-01-28 15:29:04.619+001 2 [122:5:1] portscan: TCP Filtered Portscan || attempted-recon || <src ip removed> <dest ip removed> 4 20 48 163 0 2 0 36838 0 || <hex packet data removed> || 
 |


Example of a syslog message transferring an ET alert:
| [SNORTIDS[LOG]: [snort.WAN] ] || 2018-01-28 16:04:57.624+001 2 [1:2011716:4] Snort Alert [1:2011716:4] || attempted-recon || 17 <src ip removed> <dest ip removed> 4 20 0 439 14179 2 0 59027 0 || 5206 5060 419 41921 || <hex packet data removed> || 
 |


As you can see, the snort alert sid/gid is repeated as 'description', but in my PFsense alert tab it mentions things like 'ET SCAN Sipvicious Scan' or 'ET SCAN Sipvicious User-Agent Detected (friendly-scanner)'.
How can I get these descriptions to be sent with the barnyard2 remote syslog?
enabled services:
- snort
- pfblockerNG

Offline MichaelB

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +1/-0
    • View Profile
Removed and reinstalled snort, issue is resolved. Perhaps a simple restart would have done the trick as well.
enabled services:
- snort
- pfblockerNG