Firesight, which is now Cisco, was originally developed by the same guys who wrote snort. The software runs the professional VRT snort feed underneath. The output is a slightly different format but we can tweak OSSIM to read in the syslog alerts.
1. In your Firesight intrusion policy click on Advanced Settings -> Syslog Alerting.
2. Type in the IP of your OSSIM server and assign a priority etc.
3. Save and push the policy to your Sourcefire nodes.
4. Now on the OSSIM box connect over SSH and select Jailbreak from the menu.
5. Now we need to send the alerts into the alerts file. Create a new file /etc/rsyslog.d/zzzzz_snort_syslog.conf and add in this text:
if $msg contains 'SFIMS' then -/var/log/snort/alert & ~ if $syslogtag contains 'SFIMS' then -/var/log/snort/alert #Stop & ~
6. Now you need to edit the snort-syslog config file so that it can understand the Firesight format. Edit /etc/ossim/agent/plugins/snort_syslog.cfg and at the bottom add:
[05_snort-syslog-sourcefire-format] event_type=event regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([a-zA-Z0-9\-]+)\s+[SFIMS:]{1,6}\s+\[([a-zA-Z0-9_\s]+)\s+\(([0-9a-z\-]+)\)\]\[(.+)\]\[(([0-9]+)\:([0-9]+)\:[0-9]+)\]\s+\"(.+)\"\s+\[Classification\:\s+(.+)\]\s+User\:\s+(.+)\,\s+Application\:\s+(.+)\,\s+Client:\s+(.+)\,\s+App Protocol\:\s+(.+)\,\s+Interface Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Interface Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Context\:\s+([a-zA-Z\-\_0-9]+)\,\s+\[Priority\:\s+([0-9]+)\]\s+\{([A-Z]+)\}\s+([0-9.]+):([0-9]+)\s->\s([0-9.]+):([0-9]+) date={normalize_date($1)} device={resolv($2)} plugin_id=1001 plugin_sid={$8} protocol={$21} src_ip={$22} src_port={$23} dst_ip={$24} dst_port={$25} userdata1={$5} userdata2={$4} userdata3={$9} userdata4={$15} userdata5={$16} userdata6={$17} userdata7={$18} userdata8={$20}
7. Save the file.
8. Now enable the collector. Type ossim-setup to load the ossim curses gui, choose Configure Sensor -> Configure Data Source Plugins -> Select snort-syslog then click OK -> Back -> Apply all Changes. This will start the snort-syslog collector.
9. Generate some dummy alerts in Sourcefire and then come back and check in the OSSIM GUI to see they have been processed.
Filed under: Alienvault OSSIM, Security, SIEM Tagged: firesight, OSSIM, snort, sourcefire
