I have a Snort box that I would like to forward alerts to ESM via syslog. Where and how in ESM do I configure that?
what configuration ? Are you using Baryard2?
I'm using Snort v.2.9.7.6; my Snort has customized alert rules and I would it to forward to McAfee via syslog. Is that supported?
thanks!
Barnyard2 is supported for Snort, and can be downloaded from the support web site. I am not sure about custom alerts yet.
Look under Data Source Vendor : Source Fire , then look under Data Source Model : Source Fire NS/RNA (ASP). This should work for your snort events. I use it, I made some modifications to the rule to grab additional data.
http://www.mcafee.com/us/resources/data-sheets/ds-siem-supported-devices.pdf
Snort NIDS IDS / IPS All Use SourceFire NS/RNA (ASP) data source
thanks, will check it out.
For Snort via syslog, do you think the configuration is thru ESM's System Properties - Event Forwarding - Format of 'Syslog (snort)'?
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA