Lieutenant
Lieutenant
997 views

Will Snort Product Package move to 2.0?

Snort product package (v1.1.0.1) currently refers to the Product and Network monitoring package of base 1.0.  Are there plans to move this to support activate base 2.0?  Has anyone reconfigured this package to work with activate base 2.0?

Labels (1)
0 Likes
10 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

The base is up to 2.5.1 - I have some time today, I will grab some Snort events and test the package on it.

D.

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Brian, I was able to import the package and use it properly with base 2.5.1 - I will take a look at the package and see if there are any updates that can be made and update the version information. 

0 Likes
Lieutenant
Lieutenant

Thanks, validation would be nice.  I also tested in my environment and found following the wiki instruction, just replace Perimeter and Network Monitoring with Network Monitoring and the product package works (somewhat! See below.)

However, I did notice that the Snort package has a very limited set of filters and reviewing the Snort Manual, there are serveral additional classtype:classifications that could be

added to the Snort package.  While reviewing the Raw Log, I also noticed that the Description, not the classtype is sent by syslog.  This will break the existing filters provided in the Snort product package.

i.e.: /All Filters/ArcSight Activate/Core/Product Filters/Snort NIDS/IDS Suspicious Events/Denial of Service Events

* the Device Event Category = successful-dos, however, the Raw Log will say, <###> BLAH..... [Classification: Denial of Service] BLAH....

I've not seen this live with a DoS Snort alert and I'm making some assumptions based on other raw logs I'm evaluating, specifically trojan-activity.  Raw log only mentions [Classification: A Network Trojan was detected]

Pretty much all the filters need to change to the Description, not the classtype.  In addition, for the high/very high device severity filters.  The priority could be used instead of specific classtypes if you wanted too.

All in all, if you have some cycles and can verify this, I think would greatly improve the usability of the Snort product package. I also noticed in the Sourcefire product package that you did the same thing as snort product package (using classtype instead of description), however as you mention in the Sourcefire product package documentation, it is for CEF sourcefire product only  (not the generic Snort syslog) so this may work for Sourcefire (I can't verify this one...).

.snort_classtypes.PNG

0 Likes
Micro Focus Expert
Micro Focus Expert

The Sourcefire package uses the descriptions as the classtypes aren't available in the events from the script.

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

I will take a look at this when I can grab the test events - re: the "Description", I am fairly sure it's parsed out for the deviceEventClassId.  As for the other info you mentioned - I will take a gander.

0 Likes
Lieutenant
Lieutenant

In my logs and version of connector, the deviceEventClassID is the snort genID:sid.  Not sure what the snort syslog connector refers to by "event string" going into deviceEventClassID.

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Agreed.  I just noticed that the filters are indeed the ID.  This could use some updating, I am taking a look - we'll see what we can come up with.  Are you using Snort 3.0?  And what version of Connector?

0 Likes
Lieutenant
Lieutenant

Im using connector version 7.3.0.7886 and Snort version 2.9.9

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi Brian, I have indeed found the issue.  I am going to completely update the package later today, can I send you the beta to test for me?  After we do some testing I will request it be officially updated.  Can you also please send me a batch of raw logs nice and zipped up?  Please use donald.chapell@hpe.com - thanks!

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi all, I updated this and passed it along to Brian.  I will send it to the Marketplace folks to have it updated on the site.

Thanks.

D.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.