Will Snort Product Package move to 2.0?
Snort product package (v22.214.171.124) currently refers to the Product and Network monitoring package of base 1.0. Are there plans to move this to support activate base 2.0? Has anyone reconfigured this package to work with activate base 2.0?
Brian, I was able to import the package and use it properly with base 2.5.1 - I will take a look at the package and see if there are any updates that can be made and update the version information.
Thanks, validation would be nice. I also tested in my environment and found following the wiki instruction, just replace Perimeter and Network Monitoring with Network Monitoring and the product package works (somewhat! See below.)
However, I did notice that the Snort package has a very limited set of filters and reviewing the Snort Manual, there are serveral additional classtype:classifications that could be
added to the Snort package. While reviewing the Raw Log, I also noticed that the Description, not the classtype is sent by syslog. This will break the existing filters provided in the Snort product package.
i.e.: /All Filters/ArcSight Activate/Core/Product Filters/Snort NIDS/IDS Suspicious Events/Denial of Service Events
* the Device Event Category = successful-dos, however, the Raw Log will say, <###> BLAH..... [Classification: Denial of Service] BLAH....
I've not seen this live with a DoS Snort alert and I'm making some assumptions based on other raw logs I'm evaluating, specifically trojan-activity. Raw log only mentions [Classification: A Network Trojan was detected]
Pretty much all the filters need to change to the Description, not the classtype. In addition, for the high/very high device severity filters. The priority could be used instead of specific classtypes if you wanted too.
All in all, if you have some cycles and can verify this, I think would greatly improve the usability of the Snort product package. I also noticed in the Sourcefire product package that you did the same thing as snort product package (using classtype instead of description), however as you mention in the Sourcefire product package documentation, it is for CEF sourcefire product only (not the generic Snort syslog) so this may work for Sourcefire (I can't verify this one...).
I will take a look at this when I can grab the test events - re: the "Description", I am fairly sure it's parsed out for the deviceEventClassId. As for the other info you mentioned - I will take a gander.
In my logs and version of connector, the deviceEventClassID is the snort genID:sid. Not sure what the snort syslog connector refers to by "event string" going into deviceEventClassID.
Agreed. I just noticed that the filters are indeed the ID. This could use some updating, I am taking a look - we'll see what we can come up with. Are you using Snort 3.0? And what version of Connector?
Hi Brian, I have indeed found the issue. I am going to completely update the package later today, can I send you the beta to test for me? After we do some testing I will request it be officially updated. Can you also please send me a batch of raw logs nice and zipped up? Please use email@example.com - thanks!
Hi all, I updated this and passed it along to Brian. I will send it to the Marketplace folks to have it updated on the site.