Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
3
Replies

MARS and SNORT

adenter
Level 1
Level 1

‎03-19-2006 12:30 PM - edited ‎03-09-2019 02:19 PM

Has anyone tackled error messages when recieving events from Snort 2.3.3? MARS says Unknown Device Event Type for everything so far. Drill down on the raw shows semi important things like an nmap probe or a port scan but MARS template doesnt seem to recognize.

Labels:
0 Helpful
3 Replies 3

dmitry
Level 1
Level 1

‎03-23-2006 07:57 PM

my guess that MARS expects the Snort syslog messages with a certain facility - LOCAL4 to start parsing / matching the Snort events to the local signatures:

output alert_syslog: LOG_LOCAL4 LOG_ALERT

0 Helpful

bcarroll
Level 1
Level 1

‎03-28-2006 12:00 PM

My guess is its a support issue. Are you running MARS 4.1.4? According to the release notes at http://www.cisco.com/en/US/products/ps6241/prod_release_note09186a0080607e86.html#wp1124250 it says that version of snort is a new vendor.

0 Helpful

adenter
Level 1
Level 1

‎03-28-2006 03:24 PM

I rcvd a note from a Protego/Cisco person who explained that SNORT support is for generator with ID of 1 only. The generator that I was seeing was Portscan with an ID of 122.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents