Written by I've recently had to deploy an OSSIM installation and had a
very hard time dealing with the SNARE integration. The documentation provided by ossim is very scattered and imprecise. These are the steps I've followed to get SNARE integrated in OSSIM.
Install OSSIM on the server. Have a Windows machine ready to test this out.
Follow this guide to install SNARE on windows and to activate the SNARE plugin on the server. When u get to the part where it says “That’s all. Now you can view the Windows events at the framework.”, if you encouter the same issues i did you will be surprised that nothing actually shows in the OSSIM web interface. To fix that do the following:
Make sure you configure snare to use “;” as a log delimiter. To do that use the following instructions:
Windows uses by default the space character to separate the different fields in the
log, you will need to change this delimiter and use “;” to allow AlienVault collecting
events.
This delimiter can be changed in the Windows registry using the regedit tool.
HKEY_LOCAL_MACHINE/SOFTWARE/InterSect Alliance/AuditService/Config/Delimiter
After changing the delimiter you will need to restart the Snare Service.
Go to your snare interface on the Windows machine ( http://localhost:6161) – go to Network Configuration and make sure that:
| Destination Snare Server address | |
| Destination Port | |
If you followed the above mentioned pdf guide right the other SNARE parameters should be right.
At this point you can start logging in and out of the Windows machine and that should show up in your server in the syslog ( tail -f /var/log/syslog ). If that is the case than you're almost done 
A bit of theory (if you didn't have the time to read the ossim documentation) for you to understand how things work with ossim plugins, specifically SNARE here. The snare gathers the logs from the Windows machine and sends them to your server's syslog. From there the ossim-agent reads the syslog, parses it and when it matches a row, normalizes it and sends
it to the ossim-server which stores it in the database and displays it on the interface. ( please correct me if I'm wrong).
The issue that i had was that the default snare.cfg ( /etc/ossim/agents/plugins/snare.cfg) didn't have the right regex rules configured in it by default and thus was not matching anything from the syslog.
After replacing the original snare.cfg with the one i found here and restarting the ossim-agent the windows events started showing up in the web interface.
Hope this helps, it took me 3 days and 2 sleepless nights to figure this out. Feel free to ask any questions related to this post.
Useful links:
Thank you, it was very helpful – this was my second day working with snare, and i was almost gave it up !!!
I am glad it was of help. I was in the same situation so i know how it feels. Greetings
in destination ; I should put the ossim address ; no ?
correct.
ok so I have this bizarre problem here ; in snare.log I can find logs but it s not showing up in ossim SIEM , also snare is not displayed in datasources ; ps : I m running ossim v 4
any suggestions ??
hi Is working, but i dont’s see the information in the web on alienvault can you helme please !!!!
Greetings