Symptoms
You have events from SourceFire sent to the SSIM but they do not arrive at the Snort collector. You may find these events been processed as events through the Generic collector.

A collector specific to SourceFire is named Symantec™ Event Collector 4.4 for Sourcefire eStreamer.

If you still want to use the Snort Collector you can modify the Signature for the Snort collector as a workaround to get SourceFire events to appear in the Snort collector, however, there are a number of known issues using the Snort collector for SourceFire which cannot be addressed.

To resolve this issue evaluate your SourceFire events to determine an appropriate signature, then add that signature to the Syslog Director settings for that collector. The signature to be added to the Snort collector until the Sourcefire collector is released in the September Quarter 2010 is:

Snort Signature:Snort:,Snort[,SFIMS, SourceFire:

For more information about Signatures and Syslog Director please see the signatures section in this document.




Technical Information
SourceFire is a commercial Snort. Our standard Snort signature does not match