What is it?
The Hurricane Labs Add-On for Unified2 is a Splunk Technology Add-On by
Hurricane Labs for parsing data stored by Snort or Suricata in the Unified2
binary format into a Splunk-compatible JSON format. This optionally includes
packet capture data.
This TA is compatible with the "Intrusion Detection" data model in the Common
Information Model. Its data will populate the Intrustion section in Splunk
Enterprise Security as well as other CIM compliant Intrusion Detection apps,
such as the future Hurricane Labs App for Intrusion Detection.
Installation
This TA should be installed into a forwarder on the Snort/Suricata host (this
can be a Universal, Lightweight or Heavy Forwarder), and the first Splunk
Enterprise system in the receiving chain (the same host if using a LWF or HF,
another Heavy Forwarder, or your Indexer - check outputs.conf). There is no
search head component to this app.
The only required configuration, beyond installation, is done on the
Snort/Suricata host (referred to as 'the forwarder'). The configuration
options can be seen in the unified2.conf file inside default in this app.
There are two sections to this config: output and unified2.
The output section contains configuration for the output of the TA.
o pretty - enables a more human readable output that may use more of your
Splunk license. It is disabled by default
o pcap - enables capture and indexing of packet data. This is enabled by
default.
The unified2 section contains configuration related to your Snort/Suricata
installation. If you have used Barnyard2 and/or PulledPork, you may be
familiar with some of these files.
o checkpoint_file - this file is used to track the events that have already
been indexed. This file can be stored anywhere, and defaults to
/var/log/snort/alert_json.checkpoint
o input_u2 - Base filename of the Unified2 file written by Snort/Suricata.
For snort, this is often /var/log/snort/snort.u2 to which Snort then
appends a timestamp. This setting should NOT have the timestamp
o sid_msg_map - This is the same as the sid_file config option in
Barnyard2, and is generated by Pulledpork
o gen_msg_map - This is the same as the gen_file config option in
Barnyard2, and is generated by Pulledpork
o classifications - This is the same as the classification_file config
option in Barnyard2, and is generated by Pulledpork
Once these settings are configured (which can be done in local/unified2.conf
to avoid future updates from overwriting your settings), you can then enable
the scripted input (in local/inputs.conf) by duplicating the section header
and then setting disabled = 0. You can also adjust the interval (default is
30 seconds), the sourcetype (not recommended), or set an index (default is
main).
After enabling the scripted input, you will need to restart Splunk. The
default behavior, which is not configurable at this time, is to ignore any
alerts in the Unified2 file if the checkpoint file does not exist. That is,
the TA will not index any events that occurred BEFORE it was installed.
After the first run of the script, the checkpoint file will be generated, and
any future alerts will then be indexed.
Licensing
Please see the file called LICENSE.
Contacts
o Feature requests, bug reports and support questions (provided on a best
effort basis only) can be sent to splunk-app@hurricanelabs.com
This app fixes the following issues:
Internal .git directory leaked into release
Fix incorrect handling of events without event_ids (usually packet data)
* Fix for SIDs without an entry in sid-msg.map
This release fixes an issue where historical unified2 files were not processed chronologically, leading to incorrect checkpointing and events being indexed multiple times.
This version fixes an error when running the scripted input on a Splunk Enterprise system caused by the changes in 1.0.2. The following error would appear in splunkd.log:
10-17-2014 18:41:04.699 -0400 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-unified2/bin/alert_json.sh" splunk.clilib.control_exceptions.ParsingError: ("no 'unified2' stanza exists in unified2.conf. Your configuration may be corrupt or may require a restart.",)
This release contains additional fixes for Python OpenSSL errors.
This release fixes a bug when Python was compiled against a newer version of OpenSSL than Splunk.
This is the first release of the Hurricane Labs Add-On for Unified2.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.