Open Source Snort - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 Manual

64
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
O S
PEN OURCE
A STRM Open Source SNORT DSM accepts SNORT events using syslog. You
can integrate SNORT version 2.x with STRM. STRM records all relevant SNORT
events.
Note: The below procedure applies to a system operating Red Hat Enterprise. The
procedures below may vary for other operating systems.
Before you configure STRM to integrate with a SNORT device, you must:
Configure SNORT on a remote system.
Open the
snort.conf
Uncomment the following line:
output alert_syslog:LOG_AUTH LOG_INFO
Save and exit the file.
Open the following file:
/etc/init.d/snortd
Add an to the following lines, as shown in the example below:
-s
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO PACKET_LOG
$DUMP_APP -D $PRINT_INTERFACE -i $i -s -u $USER -g $GROUP $CONF
-i $LOGIR/$i $PASS_FIRST
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG
$DUMP_APP -D $PRINT_INTERFACE $INTERFACE -s -u $USER -g $GROUP
$CONF -i $LOGDIR
Save and exit the file.
Restart SNORT:
/etc/init.d/snortd restart
Open the
syslog.conf
Update the file to reflect the following:
auth.info
Where
<IP Address>
Save and exit the file.
Configuring DSMs Guide
SNORT
file.
file.
is the system to which you want logs sent.
@<IP Address>