Snort IDS/IPS Integration
Overview
Snort is an open-source network intrusion detection and prevention system. KYRA MDR collects Snort alerts via syslog for network threat detection and signature-based monitoring. Supports Snort 2.9.x and Snort 3.x.
Prerequisites
- A KYRA MDR Collector installed and running
- Snort installed and configured with active rulesets
- Network connectivity from the Snort sensor to the collector on port 514
- Snort community or subscriber rules
Configuration
Configure Snort to send alerts via syslog:
For Snort 2.9:
output alert_syslog: host=<collector-ip>:514, LOG_AUTH LOG_ALERTFor Snort 3.x:
-- snort.luaalert_syslog = { facility = 'auth', level = 'alert',}Restart Snort:
sudo systemctl restart snortCollected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Alert | Rule match alert events | Intrusion detection |
| Priority 1 | Critical severity alerts | Immediate threat response |
| Priority 2 | High severity alerts | Threat investigation |
| Flow | Network session data | Traffic analysis |
| Packet | Packet capture on alert | Forensic analysis |
| Classification | Attack classification events | Threat categorization |
Troubleshooting
No alerts generated: Verify Snort rules are loaded with snort -T -c /etc/snort/snort.conf.
Missing syslog output: Confirm the alert_syslog output plugin is configured. Restart Snort after changes.
High false positive rate: Tune Snort rules by disabling noisy signatures. Use threshold and suppress directives.
Contact kyra@seekerslab.com for support.