cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure ESM to receive incoming Snort alerts?

I have a Snort box that I would like to forward alerts to ESM via syslog.  Where and how in ESM do I configure that?

6 Replies

Re: How to configure ESM to receive incoming Snort alerts?

what configuration ? Are you using Baryard2?

Re: How to configure ESM to receive incoming Snort alerts?

I'm using Snort v.2.9.7.6; my Snort has customized alert rules and I would it to forward to McAfee via syslog.  Is that supported?

thanks!

Re: How to configure ESM to receive incoming Snort alerts?

Barnyard2 is supported for Snort, and can be downloaded from the support web site. I am not sure about custom alerts yet.

Re: How to configure ESM to receive incoming Snort alerts?

Look under Data Source Vendor : Source Fire ,  then look under Data Source Model : Source Fire NS/RNA (ASP). This should work for your snort events. I use it, I made some modifications to the rule to grab additional data.

http://www.mcafee.com/us/resources/data-sheets/ds-siem-supported-devices.pdf

Snort NIDS IDS / IPS All Use SourceFire NS/RNA (ASP) data source

Re: How to configure ESM to receive incoming Snort alerts?

thanks, will check it out.

Re: How to configure ESM to receive incoming Snort alerts?

For Snort via syslog, do you think the configuration is thru ESM's System Properties - Event Forwarding - Format of 'Syslog (snort)'?