Configuration Guide

SmartConnector for Snort DB

September 30, 2014

Configuration Guide
SmartConnector for Snort DB
September 30, 2014
Copyright 2003 2014 Hewlett-Packard Development Company, L.P.Confidential computer software. Valid license
from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer
Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S.
Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services
are set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions
contained herein.
Follow this link to see a complete statement of ArcSight's copyrights, trademarks and acknowledgements:
http://www.hpenterprisesecurity.com/copyright.
The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.
This document is confidential.

Revision History
Date

Description

09/30/2014

Added Device Custom String 6 mapping for data_payload.

05/15/2012

Added new installation procedure.

02/15/2012

Added driver download information for Connector Appliance.

08/12/2011

Added MySQL JDBC driver download information.

02/15/2011

Added support for Snort 2.9.

09/24/2010

Updated supported versions.

02/11/2010

Added support for FIPS Suite B and CEF File transport.

06/30/2009

Added global update to installation procedure.

05/15/2009

Noted that PostgreSQL is supported only for Snort DB versions 1.8 and later.

03/27/2009

Added support for PostgreSQL and Oracle databases.

Configuration Guide

SmartConnector for Snort DB

This guide provides information for installing the SmartConnector for Snort DB and configuring the
device for database event collection. Snort IDS Versions 1.7-2.4, 2.6, 2.8, and 2.9 are supported.
See the section "Device Event Mapping to ArcSight Data Fields" later in this document for the specific
events mapped to fields in the ArcSight database.

Product Overview
Snort is an open-source network intrusion detection system, capable of performing realtime traffic
analysis and packet logging on IP networks. It can perform protocol analysis and content
searching/matching, and can be used to detect a variety of attacks and probes, including buffer
overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.

Configuration
Configure Snort to Use MySQL
The Snort DB can be created in MySQL. See your Snort documentation for more information. MySQL
JDBC driver version 5.0.8 is supported.

To configure Snort to use MySQL with the SmartConnector for Snort DB:
1

Open your /etc/snort/snort.conf file in a text editor.

Within the snort.conf file, locate the following line and remove the comment symbol (#):
output database: alert, mysql, user=<your_snort_mysql_user id>
dbname=<database_created_file_with_create_mysql>
host=<location_of_mysql_db> sensor_name=<your given sensor name>

Notes:

When Snort DB is run on Linux, the sensor name is assigned a format such as
snorthostname:snifferingNICInterface such as localhost:eth1. If the sniffering NIC
has not been assigned an IP address, there could be a problem with host name resolution. To
avoid this, append the sensor name field in the snort.conf files, as shown in the previous example.

PostgreSQL is supported for Snort DB versions later than 1.8.

MySQL Database Versions 5.0.8 and earlier are supported. If the MySQL version is 4.1 or later,
the password hash format must be changed for compatibility, as follows:
Login to MySQL as root and select "mysql" as the database. Run the following command:
update user set password = old_password(`your password) where user =
`your snort database user name;flush privileges;

Confidential

SmartConnector for Snort DB

Because MySQL supports host-based access control, you may need to configure MySQL to allow
connections from the host where the ArcSight SmartConnector is running. To allow MySQL access
from the host, execute the following command in a MySQL prompt:
GRANT SELECT ON snortdb.* to MySQLuser@'connectorhost' identified by
'MySQL password'
where the following is true:
Snortdb

Is the name of the database used by Snort (the database created with create mysql).

MySQLuser

Is the user you create for the Snort DB.

ConnectorHost

The hostname (or IP address) of the host running the ArcSight SmartConnector (for testing
purposes, you could use %, which means "any host").

MySQLPassword

The password of the user you created for the Snort DB.

Configure an ODBC Data Source

To create a new DSN ODBC data source that points to the database on the machine on which the
SmartConnector is to be installed, follow the steps in this section. Before beginning, make sure you
have administrative privileges to create ODBC data sources on the machine.
To use the ODBC driver optin, you must have an ODBC driver compatible with your installed database.

Click Start; select Control Panel -> Administrative Tools -> Data Sources (ODBC).

Select the System DSN tab and click Add.

Select the MySQL, PostgreSQL, or Oracle database driver.

Enter the parameters for your DSN (Database, Server, User Name, and Password) and, optionally,
enter a description.

Click Save.

Click Next, then click Finish.

Test the ODBC data source by clicking Test Data Source. If the connection is established
successfully, click OK to close the ODBC Data Source window.

Remember the ODBC name, username, and password you used in the DSN creation; it will be required
when you install the SmartConnector.

Install the SmartConnector

Before you install any SmartConnectors, make sure that the ArcSight products with which the
connectors will communicate have already been installed correctly (such as ArcSight ESM or ArcSight
Logger). This configuration guide takes you through the installation process with ArcSight Manager
(encrypted) as the destination.

Confidential

Configuration Guide
For complete product information, read the Administrator's Guide as well as the Installation and
Configuration guide for your ArcSight product before installing a new SmartConnector. If you are
adding a connector to the Connector Appliance, see the ArcSight Connector Appliance Administrator's
Guide for instructions, and start the installation procedure at step 3.
Before installing the SmartConnector, be sure the following are available:

Local access to the machine where the SmartConnector is to be installed

Administrator passwords

Unless specified otherwise at the beginning of this guide, this SmartConnector can be installed on all
ArcSight supported platforms; for the complete list, see the SmartConnector Product and Platform
Support document, available from the HP SSO and Protect 724 sites.
1

Download the SmartConnector executable for your operating system from the HP SSO site.

Start the SmartConnector Installer by running the executable.

Follow the installation wizard through the following folder selection tasks and installation of the core
connector software:
Introduction
Choose Install Folder
Choose Install Set
Choose Shortcut Folder
Pre-Installation Summary
Installing...

When the installation of SmartConnector core component software is finished, the following window
is displayed.

Confidential

SmartConnector for Snort DB

Click Cancel to leave the configuration wizard at this point.
The following steps are required when you use the MySQL JDBC driver, required for Connector
Appliance and Linux systems.
A

Download the MySQL JDBC Driver from:

http://dev.mysql.com/downloads/connector/j/5.0.html
Install the driver.

For software connectors, copy the mysql-connector-java-5.0.8-bin.jar jar file to

$ARCSIGHT_HOME\current\user\agent\lib, where $ARCSIGHT_HOME refers to the
connector install folder, such as c:\ArcSight\SmartConnectors. For Connector
Appliance users, see "Add a JDBC Driver to the Connector Appliance" later in this guide.

From $ARCSIGHT_HOME/current/bin, double-click runagentsetup to return to the

SmartConnector Configuration Wizard.

Select Add a Connector and click Next.

Select Snort DB and click Next.

Enter the required SmartConnector parameters to configure the SmartConnector, then click Next.

Parameter

Description

Snort Database
JDBC Driver

Select one of the following three drivers: 'org.gjt.mm.mysql Driver', 'org.postgresql.Driver',

or 'oracle.jdbc.driver.OracleDriver'.

Snort Database
URL

Enter the database URL. The default value 'jdbc:mysql://<MYSQL HOST OR

IP>:3306/<SNORT DATABASE NAME>', where <MYSQL HOST OR IP> is the host and
<SNORT DATABASE NAME> is the database name is for MySQL databases.
For Oracle databases, use the format 'jdbc:oracle:thin:@<host_name>:1521:<db_name>',
where host_name is the machine of Oracle and db_name is the ESM external database
name.

Confidential

Configuration Guide
Parameter

Description
For PostgreSQL databases, use the format 'jdbc:postgresql://<HostName or Ip
Address>:5432/<Database Name>'. PostgreSQL databases are not supported for Snort
DB 1.8 and earlier versions.

Snort Database
User

Login name of database user with appropriate privilege to access the database.

Snort Database
Password

Password assigned to the authorized database user.

The next window asks for the destination type; make sure ArcSight Manager (encrypted) is
selected and click Next. (For information about any of the other destinations listed, see the
ArcSight SmartConnector User's Guide as well as the Administrator's Guide for your ArcSight
product.)

Enter the Manager Host Name, Manager Port, and a valid ArcSight User Name and Password.
This is the same user name and password you created during the ArcSight Manager installation.
Click Next.

Enter a name for the SmartConnector and provide other information identifying the connector's use
in your environment. Click Next; the connector starts the registration process.

10 The certificate import window for the ArcSight Manager is displayed. Select Import the certificate
to the connector from destination and click Next. If you select Do not import the certificate to
connector from destination, the connector installation will end.

Confidential

SmartConnector for Snort DB

The certificate is imported and the Add connector Summary window is displayed.
11 Review the Add connector Summary and click Next. If the summary is incorrect, click Previous
to make changes.
12 The wizard now prompts you to choose whether you want to run the SmartConnector as a standalone process or as a service. If you choose to run the connector as a stand-alone process, skip
step 13. If you choose to run the connector as a service, the wizard prompts you to define service
parameters. See "Run the SmartConnector" later in this guide for more information.

Confidential

Configuration Guide
13 Enter the service parameters and click Next. The Install Service Summary window is displayed.
14 Click Next.
To complete the installation, choose Exit and click Next. To enable FIPS-compliant mode, choose
Continue, click Next, and continue with "Enable FIPS Mode."

Enable FIPS Mode

15 After choosing Continue and clicking Next after connector installation, choose Enable FIPS Mode
and click Next. A confirmation window is displayed when FIPS mode is enabled.
16 Click Next. To complete installation of FIPS support, click Exit. To enable FIPS Suite B mode,
click Continue.
17 On the window displayed, select Modify Connector.
18 Select Add, Modify, or remove destinations and click Next.
19 Select the destination for which you want to enable FIPS Suite B mode and click Next.
20 Select Modify destination parameters and click Next.
21 When the parameter window is displayed, select FIPS with Suite B 128 bits or FIPS with Suite B
192 bits for the FIPS Cipher Suites parameter. Click Next.
22 The window displayed shows the editing changes to be made. Confirm and click Next to continue.
(To adjust changes before confirming, click Previous.)
23 A summary of the configuration changes made is displayed. Click Next to continue.
24 Click Exit to exit the configuration wizard.
For some SmartConnectors, a system restart is required before the configuration settings you made
take effect. If a System Restart window is displayed, read the information and initiate the system
restart operation.
Save any work on your computer or desktop and shut down any other running applications (including the
ArcSight Console, if it is running), then shut down the system.

Complete any Additional Configuration required, then continue with the "Run the SmartConnector."
For connector upgrade or uninstall instructions, see the SmartConnector User's Guide.

Run the SmartConnector

SmartConnectors can be installed and run in stand-alone mode, on Windows platforms as a Windows
service, or on UNIX platforms as a UNIX daemon, depending upon the platform supported. On
Windows platforms, SmartConnectors also can be run using shortcuts and optional Start menu entries.
If the connector is installed in stand-alone mode, it must be started manually and is not automatically
active when a host is restarted. If installed as a service or daemon, the connector runs automatically

Confidential

SmartConnector for Snort DB

when the host is restarted. For information about connectors running as services or daemons, see the
HP ArcSight SmartConnector User's Guide.
To run all SmartConnectors installed in stand-alone mode on a particular host, open a command
window, go to $ARCSIGHT_HOME\current\bin and run: arcsight connectors
To view the SmartConnector log, read the file $ARCSIGHT_HOME\current\logs\agent.log; to
stop all SmartConnectors, enter Ctrl+C in the command window.

Device Event Mapping to ArcSight Fields

The following section lists the mappings of ArcSight data fields to the device's specific event definitions.
See ArcSight 101 for more information about the ArcSight data fields.

Snort DB Mappings to ArcSight ESM Events

10

ArcSight ESM Field

Device-Specific Field

ArcSight Severity (High)

ArcSight Severity (Low)

4, 5, or 6

ArcSight Severity (Medium)

ArcSight Severity (Very High)

0 or 1

Destination Address

IP_DST

Destination Port

First of (TCP_DPORT, UDP_DPORT)

Device Address

IPADDR

Device Custom String 1

SIG_GID

Device Custom String 2

SIG_REV

Device Custom String 3

ICMP_TYPE

Device Custom String 4

ICMP_CODE

Device Custom String 5

Preprocessor

Device Custom String 6

data_payload

Device Event Category

SIG_CLASS_NAME

Device Event Class ID

SIG_GID plus SIG_SID

Device Host Name

HOSTNAME

Device Inbound Interface

INTERFACE

Device Product

'Snort'

Device Receipt Time

TIMESTAMP

Device Severity

SIG_PRIORITY

Device Vendor

'Snort'

Name

SIG_NAME

Source Address

IP_SRC

Source Port

First of (TCP_SPORT, UDP_SPORT)

Transport Protocol

IP_PROTO

Confidential

Configuration Guide

Payload Support
Payload support is available with this SmartConnector. Payload refers to the information carried in the
body of an event's network packet, as distinct from the packet's header data. While security event
detection and analysis usually centers on header data, packet payload may also be forensically
significant.
You need not explicitly enable payload. However, payloads are downloaded and stored only on
demand; you must configure ESM to log these packets. By default, 256 bytes of payload will be
retrieved.
To get payload from the SmartConnector for Snort DB, run the SmartConnector as a user who has
permission to access the payload files generated by Snort. Otherwise, the SmartConnector will receive
an access denied error when trying to read the payload files.

You can retrieve, preserve, view, or discard payloads using the ArcSight Console. Because event
payloads are relatively large, ArcSight does not store them by default. Instead, you can request
payloads from devices for selected events through the Console. If the payload is still held on the device,
the ArcSight SmartConnector retrieves it and sends it to the Console.
Whether an event has a payload to store is visible in event grids. Unless you specifically request to do
so, only the event's "payload ID" (information required to retrieve the payload from the event source) is
stored. Payload retention periods are controlled by the configuration of each source device.
Locate Payload-Bearing Events
The first step in handling event payloads is to be able to locate payload-bearing events among the
general flow of events in a grid view. In an ArcSight Console Viewer panel grid view, right-click a
column header and choose Add Column < Device > Payload ID. Look for events showing a
Payload ID in that column.
Retrieve Payloads
In a Viewer panel grid view, double-click an event with an associated payload. In the Event
Inspector, click the Payload tab, then click Retrieve Payload.
Preserve Payloads
In a grid view, right-click an event with an associated payload, select Payload, then Preserve.
Alternatively, in the Event Inspector, click the Payload tab, then Preserve Payload.
Discard Payloads
In a grid view, right-click an event with an associated payload and select Payload, then Discard
Preserved. You also can use the Event Inspector: In a grid view, double-click an event with an
associated payload. In the Event Inspector, click the Payload tab. Click Discard Preserved
Payload.
Save Payloads to Files
In a grid view, double-click an event with an associated payload. In the Event Inspector, click the
Payload tab. Click Save Payload. In the Save dialog box, navigate to a directory and enter a name
in the File name text field. Click Save.

Confidential

11

SmartConnector for Snort DB

Troubleshooting
How do I make sure that the Snort database is running on the right port?
If the ArcSight SmartConnector fails to communicate with the Snort database, make sure Snort
database is running on the correct port (by default, it is 3306). The netstat command is one way to
check this:
netstat -an | grep 3306
How can I get historical events when the Snort database connector is restarted?
When you stop the SmartConnector, the ArcSight Manager will not receive real-time events. To capture
events that are generated when the connector is down, follow these steps to configure the
SmartConnector to pick up historical events when it is restarted:

12

Stop the SmartConnector.

Run arcsight agentsetup from the current/bin directory.

When the connector configuration window is shown, click No to enter non-wizard mode.

From the menu, check Show Internal Parameters.

Highlight the Snort database connector and find the entry called preserve state.

Change this entry to true (the default is false).

Save the change by clicking OK.

Restart the SmartConnector so that the last event ID will be saved the next time you stop the
SmartConnector.

Confidential