This application ingests the Unified2 logs from Barnyard2 on a pfSense firewall using Snort, that is configured to output the information to Splunk via the UDP protocol on port 514. The application is configured to do multiline reads of the incoming data and provides a graphical display on the dashboard along with a map pinpointing the source IP location. The application sets the default dashboard from Splunk to that of the application.
This app is maintained by Darryl Mackay darryl_mackay@axxess.co.za. Suggestions for improvements and fixes for problems are welcome.
This app is provided as freeware.
Splunk version 6.5.2
pfSense version 2.3.2-RELEASE-p1
pfSense-pkg-snort version 3.2.9.2_16 (which consists of Barnyard2 version 1.13 and Snort version 2.9.8.3)
1.0.4 - Removed the need to use the MAXMIND Geo Location Lookup Script.
- Changed output in the Classification table where Generator ID, Signature ID and Signature Revision (as Snort ID) are in one column and Classification is in another column. Added row numbers to the table.
- Changed output in the Threats table where Generator ID, Signature ID and Signature Revision (as Snort ID) are in one column and Threats is in another column. Added row numbers to the table.
- Added static/appIconAlt.png and static/appIconAlt_2x.png to the app.
1.0.3 - Concatenated Generator ID, Signature ID, Signature Revision and Classification in the Classification table, to provide a better breakdown of the classification of the threats detected.
- Concatenated Generator ID, Signature ID, Signature Revision and Description in the Threats table, to provide a better breakdown of the description of the threats detected.
1.0.2 - Fixes for app certification by Splunk App Certification Team
- This README file and app icons
1.0.1 - Cosmetic changes to Table column headers
1.0 - Initial app submitted for certification
The installation of the Snort for Splunk app, Data Input creation needs to precede the Barnyard2 Syslog Output Settings to prevent the Barnyard2 logging from failing on start/restart.
1.) To install the app, download the app to a suitable download location.
2.) Open Splunk and click on the Manage Apps icon.
3.) Click on the Install app from file button.
4.) In the Upload app window, select the Browse button under File and locate the SnortforSplunk.spl file in the download location in step 1.
5.) Click the Upload button to install the app.
6.) Once the app is installed follow the next steps to setup the Data Input.
7.) Under Splunk -> Settings -> Data Inputs -> Local Inputs -> UDP -> Click the New button.
8.) In the Port field under Add Data -> Select Source, enter 514 for the port to be used.
9.) In the Only accept connection from field under Add Data -> Select Source, enter the IP address of the pfSense appliance
(in the format XXX.XXX.XXX.XXX)and click Next.
10.) From the Source Type dropdown under Add Data -> Input Settings, select Network and Security -> snort.
11.) From the App Context dropdown under Add Data -> Input Settings, select Snort for Splunk.
12.) Click the Review button.
13.) Once satisfied with the settings, click the Submit button.
1.) The setup assumes that pfSense version 2.3.2-RELEASE-p1 is being used as a firewall, along with pfSense-pkg-snort version 3.2.9.2_16 (which includes Barnyard2 version 1.13 and Snort version 2.9.8.3) and that this has been properly setup.
2.) Select Services -> Snort from the main menu and this will show the Snort Interfaces page.
3.) Select the Edit option (Pencil icon) under the Actions column on the page adjacent to the interface to be captured.
4.) Under the submenu, select the {Interface} Barnyard2 (substitute {interface} for either WAN or LAN or as has been setup on pfSense).
5.) Under General Barnyard2 Settings, make sure the following are checked:-
- Enable Barnyard2
- Show Year
- Archive Unified2 Logs
and leave the rest of these settings on their default values.
6.) Scroll down to Syslog Output Settings and select Enable Syslog
7.) Under Remote Host enter the IP address of the Splunk server that is receiving the log files from Barnyard2.
8.) Under Remote Port enter the port of the Splunk server that is receiving the log files from Barnyard2 (default is port 514).
9.) Change Log Facility from default to LOG_AUTH.
10.) Change Log Priority from default to LOG_ALERT.
11.) With all the settings done click on the Save button at the bottom.
12.) Click on the Snort Interfaces menu item and under the Snort Status column, click on the icon to start/restart the Snort interface.
13.) Check on the Splunk server that the information logged by Barnyard2 is captured by the app.
The Snort for Splunk app extracts the following fields from the Barnyard2 logs:-
- generator_id - The Snort generator ID value.
- signature_id - The Snort signature ID value.
- sigrev_id - The Snort signature revision ID value.
- description - The threat description.
- classification - The threat classification.
- priority - The threat priority level.
- interface - The interface receiving the hits.
- protocol - The network protocol of the threat.
- source_ip - The originating IP address of the threat.
- source_port - The source port of the threat.
- destination_ip - The destination IP address of the threat.
- destination_port - The destination port of the threat.
The time window for each of the listed items below can be adjusted individually as needed, with the default time window being 60 minutes.
The first pie chart graphs the top 10 source IP addresses (in a 60 minute window from the current time) that threats have originated from.
The second pie chart graphs the top 10 source ports (in a 60 minute window from the current time) that threats have originated from.
The third pie chart graphs the top 10 destination ports (in a 60 minute window from the current time) that threats are attempting to exploit.
The fourth pie chart graphs the top 10 protocols (in a 60 minute window from the current time) that are used in the communication process.
The first table shows the top 10 classifications (in a 60 minute window from the current time) of the threats.
The second table shows the top 10 threats (in a 60 minute window from the current time) as per the Snort VRT/Emerging Threat rules.
The map shows the location of the top 10 source IP addresses (in a 60 minute window from the current time) using a cluster map and the geostats command available in Splunk.
The last table shows the location of the top 10 source IP addresses, Cities, Regions and Countries etc. (in a 60 minute window from the current time).
1.0.4 - Removed the need to use the MAXMIND Geo Location Lookup Script.
- Changed output in the Classification table where Generator ID, Signature ID and Signature Revision (as Snort ID) are in one column and Classification is in another column. Added row numbers to the table.
- Changed output in the Threats table where Generator ID, Signature ID and Signature Revision (as Snort ID) are in one column and Threats is in another column. Added row numbers to the table.
- Added static/appIconAlt.png and static/appIconAlt_2x.png to the app.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.