Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Configure Snort for LEM

Configure Snort for LEM

Created by Tim Rush, last modified by Jared.Jackson on Jun 21, 2017

Views: 243 Votes: 0 Revisions: 4

Overview

This article describes how to configure Snort, an open-source product that is included in LEM. Snort can be used to sniff a network. Default snort configurations only allow LEM to monitor network traffic to/from the LEM, which are of little value.

Environment

All LEM versions

Requirements

  • A dedicated NIC on the VM host computer (cannot be shared by another VM) The dedicated NIC must be capable of being placed in promiscuous mode (using Hyper-V 2008-R2 is not possible).
  • An available port on a network switch, and the port must be placed into promiscuous mode.
  • If monitoring a different network than this switch port is already connected to, then Port Mirroring (SPAN as referenced by Cisco) is required to connect to another switch port (on a different network segment).
  • A physical ethernet cable to connect the NIC to the network switch port.

Steps

  1. Add or configure a dedicated NIC on the VM host (guest) computer.
  2. Place the dedicated NIC into promiscuous mode.
  3. Find or obtain an available port on a network switch, and configure the port to be in promiscuous mode.
  4. If monitoring a different network than this switch port is already connected to, then Port Mirroring, SPAN as referenced by Cisco, is required to connect to another switch port that is on a different network segment.
  5. Connect a physical ethernet cable from the VMhost NIC to the network switch port.
  6. Verify that the Snort service is running on LEM:
    1. Open the Vsphere console (or putty to LEM, port 32022, user = cmc).
    2. Enter the appliance menu.
    3. Enter top. The Snort service will be listed (or to look specifically at Snort, type u and press enter, and observe just the snort processes. Type c and press enter to view more details about the snort service).
  7. Verify that the Snort connector is configured and running (default configuration shows the connector running):
    1. Open the LEM GUI-console.
    2. Select Manage > Appliances.
    3. Select Connectors from the gear on the left, and locate Snort.
    4. Select new from the left gear, use the default alias snort or change, and verify the log file as /var/log/snort/alert
    5. Save the connector.
  8. Export the snort configurations, change the default subnet, and import the changes:
    1. Open the Vsphere console (or putty to LEM, port 32022, user = cmc).
    2. Enter the service menu.
    3. Enter copysnortrules to export the Snort rules to a network share. This creates eth0 & eth1 directories.
    4. Keep an extra copy of these rules for recovery/testing to default configurations.
    5. Under the eth0 directory, locate the snort.debian.conf file and change the value for the Home_Net to your network where LEM is on.
    6. Under the eth1 directory, locate the snort.debian.conf file and change the value for the Home_Net to the network you are trying to monitor.
      Note: Changing the default home network will prevent picking up false-positive network problems.
    7. Under the
    8. PuTTy session, enter loadsnortrules to load the updated rules back into LEM, which will also restart the snort service.

You should be seeing snort events appearing in the LEM GUI-console.

 

Note: Snort rules can be modified but need to work under the version of snort used by LEM [see version in snort.conf]. SolarWinds support can assist with getting Snort running, but only with the default set of Snort rules. All other Snort issues including rule changes are not available in SolarWinds documentation.

 

Last modified

Tags

Classifications

Public