--- Fabiano <[EMAIL PROTECTED]> wrote: > > Hello, everyone! > > I'm studying SEC concepts and usage for event > correlation but I'm still looking for a way to > understand the integration of SEC with SNORT. I know > how to install SEC but how can I configure it to > make a integration with SNORT and correlate its > events? There's a file called 'snort.sec' at > http://www.bleedingthreats.net/sec/. How can I > configure this to work exactly the way it should be? > > I'm sorry but I did not find a way to do it > and that's why I need some help. Really thanks for > the support. >
The integration is relatively straightforward - SEC is able to correlate events in real-time from any log file, and Snort can be configured to log its events via syslog. For the integration, you have to follow these simple steps: 1) check your snort configuration file (like /etc/snort/snort.conf) and add a directive for setting up syslog logging, for example: output alert_syslog: log_auth log_alert (log snort events with the syslog facility 'auth' and level 'alert'), 2) check your syslog server configuration and find which log file snort events will be written to (e.g., on Linux platform events with the facility 'auth' are often written to /var/log/secure), 3) configure sec to monitor this log file (e.g., by adding -input=/var/log/secure to sec's command line options) The sample rule file at the SEC rule repository should work for most syslog servers. If you would like to see some examples with a more detailed explanation, check this paper: http://en.hakin9.org/attachments/pdf/hakin9_05_2006_10_EN_str28-39.pdf hth, risto > Fabiano > > > --------------------------------- > Abra sua conta no Yahoo! Mail, o único sem limite de > espaço para armazenamento! > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio > 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
