icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Snort for Splunk
SHA256 checksum (snort-for-splunk_104.tgz) 382593edbfbb989b99424431771f9956d6e6d9de8ee7b0de0bdbfbb4e13772b5
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Snort for Splunk

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
This application ingests the Unified2 logs from Barnyard2 on a pfSense firewall using Snort, that is configured to output the information to Splunk via the UDP protocol on port 514. The application is configured to do multiline reads of the incoming data and provides a graphical display on the dashboard along with a map pinpointing the source IP location. The application sets the default dashboard from Splunk to that of the application.

Introduction

This application ingests the Unified2 logs from Barnyard2 on a pfSense firewall using Snort, that is configured to output the information to Splunk via the UDP protocol on port 514. The application is configured to do multiline reads of the incoming data and provides a graphical display on the dashboard along with a map pinpointing the source IP location. The application sets the default dashboard from Splunk to that of the application.

This app is maintained by Darryl Mackay darryl_mackay@axxess.co.za. Suggestions for improvements and fixes for problems are welcome.

License Information

This app is provided as freeware.

Requirements

Splunk version 6.5.2
pfSense version 2.3.2-RELEASE-p1
pfSense-pkg-snort version 3.2.9.2_16 (which consists of Barnyard2 version 1.13 and Snort version 2.9.8.3)

Version History

1.0.4 - Removed the need to use the MAXMIND Geo Location Lookup Script.
- Changed output in the Classification table where Generator ID, Signature ID and Signature Revision (as Snort ID) are in one column and Classification is in another column. Added row numbers to the table.
- Changed output in the Threats table where Generator ID, Signature ID and Signature Revision (as Snort ID) are in one column and Threats is in another column. Added row numbers to the table.
- Added static/appIconAlt.png and static/appIconAlt_2x.png to the app.

1.0.3 - Concatenated Generator ID, Signature ID, Signature Revision and Classification in the Classification table, to provide a better breakdown of the classification of the threats detected.
- Concatenated Generator ID, Signature ID, Signature Revision and Description in the Threats table, to provide a better breakdown of the description of the threats detected.

1.0.2 - Fixes for app certification by Splunk App Certification Team
- This README file and app icons

1.0.1 - Cosmetic changes to Table column headers

1.0 - Initial app submitted for certification

Installation

The installation of the Snort for Splunk app, Data Input creation needs to precede the Barnyard2 Syslog Output Settings to prevent the Barnyard2 logging from failing on start/restart.

App Installation

1.) To install the app, download the app to a suitable download location.
2.) Open Splunk and click on the Manage Apps icon.
3.) Click on the Install app from file button.
4.) In the Upload app window, select the Browse button under File and locate the SnortforSplunk.spl file in the download location in step 1.
5.) Click the Upload button to install the app.
6.) Once the app is installed follow the next steps to setup the Data Input.
7.) Under Splunk -> Settings -> Data Inputs -> Local Inputs -> UDP -> Click the New button.
8.) In the Port field under Add Data -> Select Source, enter 514 for the port to be used.
9.) In the Only accept connection from field under Add Data -> Select Source, enter the IP address of the pfSense appliance
(in the format XXX.XXX.XXX.XXX)and click Next.
10.) From the Source Type dropdown under Add Data -> Input Settings, select Network and Security -> snort.
11.) From the App Context dropdown under Add Data -> Input Settings, select Snort for Splunk.
12.) Click the Review button.
13.) Once satisfied with the settings, click the Submit button.

pfSense Setup

1.) The setup assumes that pfSense version 2.3.2-RELEASE-p1 is being used as a firewall, along with pfSense-pkg-snort version 3.2.9.2_16 (which includes Barnyard2 version 1.13 and Snort version 2.9.8.3) and that this has been properly setup.
2.) Select Services -> Snort from the main menu and this will show the Snort Interfaces page.
3.) Select the Edit option (Pencil icon) under the Actions column on the page adjacent to the interface to be captured.
4.) Under the submenu, select the {Interface} Barnyard2 (substitute {interface} for either WAN or LAN or as has been setup on pfSense).
5.) Under General Barnyard2 Settings, make sure the following are checked:-
- Enable Barnyard2
- Show Year
- Archive Unified2 Logs
and leave the rest of these settings on their default values.
6.) Scroll down to Syslog Output Settings and select Enable Syslog
7.) Under Remote Host enter the IP address of the Splunk server that is receiving the log files from Barnyard2.
8.) Under Remote Port enter the port of the Splunk server that is receiving the log files from Barnyard2 (default is port 514).
9.) Change Log Facility from default to LOG_AUTH.
10.) Change Log Priority from default to LOG_ALERT.
11.) With all the settings done click on the Save button at the bottom.
12.) Click on the Snort Interfaces menu item and under the Snort Status column, click on the icon to start/restart the Snort interface.
13.) Check on the Splunk server that the information logged by Barnyard2 is captured by the app.

Information about Snort for Splunk

Fields extracted from the logs

The Snort for Splunk app extracts the following fields from the Barnyard2 logs:-

- generator_id - The Snort generator ID value.
- signature_id - The Snort signature ID value.
- sigrev_id - The Snort signature revision ID value.
- description - The threat description.
- classification - The threat classification.
- priority - The threat priority level.
- interface - The interface receiving the hits.
- protocol - The network protocol of the threat.
- source_ip - The originating IP address of the threat.
- source_port - The source port of the threat.
- destination_ip - The destination IP address of the threat.
- destination_port - The destination port of the threat.

Dashboard

The time window for each of the listed items below can be adjusted individually as needed, with the default time window being 60 minutes.

The first pie chart graphs the top 10 source IP addresses (in a 60 minute window from the current time) that threats have originated from.
The second pie chart graphs the top 10 source ports (in a 60 minute window from the current time) that threats have originated from.
The third pie chart graphs the top 10 destination ports (in a 60 minute window from the current time) that threats are attempting to exploit.
The fourth pie chart graphs the top 10 protocols (in a 60 minute window from the current time) that are used in the communication process.
The first table shows the top 10 classifications (in a 60 minute window from the current time) of the threats.
The second table shows the top 10 threats (in a 60 minute window from the current time) as per the Snort VRT/Emerging Threat rules.
The map shows the location of the top 10 source IP addresses (in a 60 minute window from the current time) using a cluster map and the geostats command available in Splunk.
The last table shows the location of the top 10 source IP addresses, Cities, Regions and Countries etc. (in a 60 minute window from the current time).

Release Notes

Version 1.0.4
Feb. 12, 2017

1.0.4 - Removed the need to use the MAXMIND Geo Location Lookup Script.
- Changed output in the Classification table where Generator ID, Signature ID and Signature Revision (as Snort ID) are in one column and Classification is in another column. Added row numbers to the table.
- Changed output in the Threats table where Generator ID, Signature ID and Signature Revision (as Snort ID) are in one column and Threats is in another column. Added row numbers to the table.
- Added static/appIconAlt.png and static/appIconAlt_2x.png to the app.


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.