Event Manager for Snort (Legacy)

Release Notes

Date Published: May 2009



Event Manager for IDS (Intrusion Detection Systems) allows you to collect, evaluate, and present data collected by Snort in real-time. By detecting, alerting on, and automatically responding to critical events in real-time, Event Manager for IDS helps indicate and prevent possible intrusions or attacks.

Event Manager for IDS provides embedded expertise so you can proactively manage Snort environments and identify issues before they become critical. Event Manager for IDS gathers events, alerts, and other information for Snort into a secure, central repository that you can monitor from a single console. Monitoring this information from a single console aids the IT team in correlating events to determine the nature of a potential security threat.

Event Manager for IDS highlights events that may indicate external attacks so you can quickly take corrective or preventive actions. For example, Event Manager for IDS enables you to perform the following tasks:

  • Detect suspicious logon activity
  • Detect high-severity Snort events, such as access attempts to the CGI bin, Unicode directory transversal exploits, or Microsoft SQL Server system administrator login failures
  • Monitor your environment from a single console

Supported Products

This release supports the following products:

  • Snort version 2.4 or later

Return to Top

Why Install This Module?

Event Manager for IDS provides the following important new capabilities:

  • Includes Snort preprocessor rules
  • Stores unrecognized syslog events in the log archive under source syslog
  • Improved usability of rules and reports by matching Snort rules more closely

Improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent acting as the proxy agent for Snort devices. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 1.5 GHz Intel Pentium III or equivalent.
Memory 40 MB minimum. The amount of memory usage varies and depends on the environment, including event rate and other factors. Memory use for a Windows agent monitoring Snort could reach 256 MB or higher.
Operating System All supported Windows agent platforms.
  • Ensure you have Security Manager 6.0 or later installed.
  • A Windows agent can monitor one or more Snort devices. For more information about the number of instances one agent can support, see the NetIQ Security Manager Knowledge Base article NETIQKB51404 at www.netiq.com/support/sm/.
  • Install each Windows agent and Snort device on a computer inside the firewall or ensure the firewall allows syslog event through.
  • Use a unique agent for each platform sending syslog events. For example, use separate agents to monitor NetScreen and Snort.
  • Install the Windows agent with Snort support on a separate computer from the database server or central computer.

Return to Top

Installing This Module

You can install this module using the Module Installer. After you install the module, run the Configuration Wizard to configure the module. For more information about how to follow the Configuration Wizard, click the Help icon in the lower left of the wizard.

Return to Top

Configuring the Module

You can configure the modules with the Configuration Wizard. Add operators to the Security Specialists group to receive notifications from the associated rules. For more information about using the Configuration Wizard, see the User Guide for NetIQ Security Manager.

Ensure the environment is configured such that the modules will be able to resolve the hostname of the Snort device. If you cannot use a static IP address, the DNS must automatically update and consistently resolve the name.

By default, agents collect syslog event data from all IP addresses. You can limit the IP addresses from which an agent accepts syslog events by modifying the data provider properties. For more information, see the Programming Guide for NetIQ Security Manager.

Return to Top

Configuring Snort

Snort devices must be properly configured before Event Manager and Log Manager can begin monitoring or collecting logs from them. Intrusion detection systems use different default settings and offer different ways of configuring Snort. The instructions listed in this section include examples that will apply to many products. However, for information about how to configure your Snort environment, see the Snort documentation.

To configure support for Snort:

  1. Add the name and IP address of the computer where Snort is installed to the Hosts file on the Windows agent computer. For more information about the Hosts file, see the Windows documentation.
  2. On to the computer where Snort is installed, ensure the following:
    • The snort.conf file allows alerts to be sent the local syslog daemon. For example, your product might require you to enable the following entry:
      output alert_syslog: log_auth log_alert

    • Snort sends alerts to the local syslog daemon.
    • Snort alerts use the Fast Alert format.
    • All Snort rules are installed and enabled.
    • The -s command line argument is enabled.
    • Snort automatically uses the -s command line argument each time Snort starts.
    • Snort sends events to the Windows agent. For example, your product might require you to add the following entry to the syslog.conf file:
    • auth.* <@agent_IP_address>

      Where agent_IP_address identifies the IP address of the Windows agent computer.

  3. If you made changes to the syslog.conf file, restart the computer to ensure the syslog daemon correctly applies the changes.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Previous Snort Log Archive Data Not Formatted Properly with New Reports

With this release, Security Manager records data differently than in previous release. Reports in this release do not properly display data gathered using a previous release. Saved queries using a previous release do not properly render data from this release.

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

Return to Top

Legal Notice

Return to Top