How can I integrate Snort3 with my existing SO setup with Managersearch and Sensor node.

[kunalhiremath]

Hi,
I want to integrate Snort3 to my existing Securityonion setup in which I have configured Managersearch and Sensor node. I want to integrate Snort IDS and forward the logs to elasticsearch. Is there any way to do so. Do you have any documentation for it.

[presianbg]

Hi,

Elastic has Snort integration by default:
https://docs.elastic.co/en/integrations/snort

In theory you should be able to:

1. Install Elastic Agent in standalone mode and configure it;
2. Send the snort logs to the Elastic Agent;
3. Ship the logs to the Security Onion ElasticSearch via the agent, do not forget to run the appropriate so-allow commands.

I haven't tried this path myself, but it should be working.

EDIT:
Or use the filebeat module:
https://docs.securityonion.net/en/2.3/filebeat.html#modules ,which should be way easier to incorporate.

EDIT2:
Looks like few days ago there were similar discussion to this one:
#9705 (comment)

So... forget about what I said about Elastic Agent :)

Cheers,
PY

[kunalhiremath]

Thanks @presianbg

[kunalhiremath]

Hey @presianbg I followed your solution but I am facing some issues will you please check it out
I have posted the link below:
#9886 (comment)