Thursday, November 16, 2006

CS-MARS using SNORT Sensors

Using open source SNORT with Cisco MARS

I`m sure everyone has heard of the free open source IDS/IPS product Snort. You may even have it running somewhere on your network. Well the great news is that CS-MARS supports Snort right out of the box.

I`m not going to go into much detail on how to configure Snort, but there is plenty of documentation on the website. See

Snort Setup

In brief, we need Snort`s output to go to syslog with the log facility local4. Configure this in snort.conf (usually in /etc/snort)

output alert_syslog: LOG_LOCAL4 LOG_ALERT

And add a redirector in the syslog.conf file to send the syslog to the MARS appliance.

local4.alert @x.x.x.x (where x.x.x.x is the IP of the MARS appliance)

Restart the box, or just the Snort daemon and syslogd daemons, and we are ready to add your Snort sensor to MARS.


We set up the Snort sensor, as a SW Security apps on a new host.

And define Snort as a reporting application.

And specify the networks we are going to monitor.

And thats all that needs to be done! Submit and Activate and we are ready for MARS to start processing Snort events.

How can we check we are receiving events from our Snort sensor?

We can simply run a RAW Event Messages query, with just our Snort devices selected, over time or in real time, and see the events flowing in.

Snort Events

MARS knows about a whole range of Snort Events, a sample is shown below, which MARS will use to fire Incidents.

Incident Example 1 - MARS correlates the data from Snort and also a FW, to generate and fire an Incident for further Investigation.

An Incident was Fired by CS-MARS

The Rule that was Matched, to Generate the Incident (note the Reporting Device)

The Snort Raw Event Message (note Correlation from another FW device)

And Finally the Known MARS Event Info

Incident Example 2 - Web Server Attacks

Incidents were fired by CS-MARS

The Rule that Generated the Incident

And the Correlated Sessions that relate to this Particular Incident

CS-MARS Reporting

Like with any other reporting device in MARS, we can run queries and reports against the data we have collected.

And have these reports emailed to certain individuals by the CS-MARS appliance.

And finally use these reports on the CS-MARS dashboard.

What I haven`t shown here is the ability to create drop rules and tune your false positives generated by the Snort sensors, although this can be done on the Snort sensors themselves.

As hopefully shown, using CS-MARS is an ideal platform for reporting from your Snort sensors, and a great low-cost IDS/IPS solution to add to your network.


wyatt said...

I know I'm posting on a topic that's a little old; however, have you attempted to configure at CS-MARS device with Snort 2.6? After talking with TAC it appears that something has changed in the format of the log messages that are sent from the Snort system. I've not personally verified the change; however, it should be possible to write a custom filter for the CS-MARS appliance. Have you experienced this and if so, have you had any luck moving to snort 2.6?

Chris Durkin said...

Hi Wyatt

No i wasnt aware of this. Maybe someone else can shed light on this?

If i get time in the next week, i`ll test this, and report what i find.