Snort 2.0
Snort 2.0
MARS Expectations of the Snort Syslog Format
The following example Snort syslog messages are used to illustrate the values that are parsed by the
MARS Appliance:
<161>snort: [1:2050:1] MS-SQL version overflow attempt [Classification: Misc activity]
[Priority: 3]: {UDP} 69.70.113.64:1449 -> 66.243.153.44:1434
<119>Jul 16 10:54:39 SourceFire SFIMS: [1:469:1] ICMP PING NMAP [Classification: Attempted
Information Leak] [Priority: 2] {ICMP} 210.22.215.77 -> 67.126.151.137
<161>Mar 12 18:02:22 snort: [ID 702911 local4.alert] [119:2:1] (http_inspect) DOUBLE
DECODING ATTACK {TCP} 10.1.1.21:60312 -> 10.1.1.69:80
The MARS parser expects the pattern: "[<generator id>:<snort id>:<revision number>]" to identify the
event as one originating from a Snort device. One that determination is made, MARS looks for either
"{<protocol_string>} <ip>:<port> -> <ip>:<port>" or "{<protocol_string>} <ip> -> <ip>" to identify
the five-tuple values.
Configure Snort to Send Syslogs to MARS
For Snort, use the syslog as your output plugin. Configure your syslogd to send copies to another host.
On most older-style systems (Solaris/Linux), you need to edit /etc/syslog.conf. (Assuming that
the system is based on syslogd, and not any of the newer system logging facilities. The newer logging
facilities are not supported by Snort.)
To configure Snort to send syslog messages to the MARS Appliance, follow these steps:
Make Snort's output go to syslog with log facility local4 in snort.conf (you can pick any local
Step 1
facility that's unused.)
snort.conf is normally in /etc/snort.
Add a redirector in your /etc/syslog.conf on your Snort box to send syslog to MARS.
Step 2
Step 3
Restart the Snort daemon and the syslogd daemon on your Snort box.
Add the Snort Device to MARS
To add the Snort device to MARS, follow these steps:
Step 1
Click Admin > System Setup > Security and Monitor Devices > Add
Step 2
From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on
existing host
User Guide for Cisco Security MARS Local Controller
6-28
output alert_syslog: LOG_LOCAL4 LOG_ALERT
local4.alert @IPAddrOffMarsbox
Chapter 6
Configuring Network-based IDS and IPS Devices
78-17020-01