Welcome to Snort Alert for Splunk!
This app provides field extractions for Snort alert logs (fast and full) as well as dashboards, saved searches, reports, event types, tags and event search interfaces.
This app is maintained by Guillaume Pierre Fransen gfransen@splunk.com. Suggestions and bug reports are appreciated
While this app is not formally supported, the developer can be reached at gfransen@splunk.com OR in splunk-usergroups slack, @Guillaume Pierre Fransen. Responses are made on a best effort basis. Feedback is always welcome and appreciated!
Thanks to Patrik Nordlén for developing the now archived "Splunk for Snort" app which this is inspired by.
To install, extract the .spl file in $SPLUNK_HOME/etc/apps
You will need to enable the appropriate inputs, either via inputs.conf, or through the Manager in the Splunk GUI. Splunk for Snort expects full alert logs to have a sourcetype of "snort_alert_full" and fast alert logs to have a sourcetype of "snort_alert_fast". Note that you don't need both types, any one will do - these distinctions are only there to make sure that Splunk parses the logs correctly. Sourcetypes are renamed to "snort" at search time, so if you do have both full and fast logs you won't need to worry about searching separately for each corresponding sourcetype.
For Splunk Cloud, refer to Install apps in your Splunk Cloud deployment. For customer managed deployments, refer to the standard methods for Splunk Add-on installs as documented for a Single Server Install or a Distributed Environment Install.
The most basic feature provided by this app is to extract fields from Snort logs. The following fields are extracted for both full and fast:
* src_ip (Source IP address)
* dst_ip (Destination IP address)
* src_port (Source port)
* dest_port (Destination port)
* proto (Network protocol)
* generator_id (ID value of the Snort generator)
* signature (SID value of the signature)
* signature_rev (Signature revision)
* interface (Network interface)
* name (Signature name)
* category (Signature category)
* classification (Signature classification)
* priority (Signature priority)
The following fields are extracted for full only (as they are not available in fast):
* ttl (Packet TTL)
* tos (Type of Service)
* id (Unique ID for the event)
* iplen (Packet IP header length)
* dgmlen (Packet total length)
* bytes_in (Packet total length)
These field extractions are applied to all logs with sourcetype "snort" (which includes sourcetypes "snort_alert_fast" and "snort_alert_full" as they are renamed to "snort" at search time).
The app includes a custom search interface for Snort events, available under "Snort event search". This interface shows events tables and statistics for issued searches.
A number of dashboards and reports are provided containing the most common information that is usually requested.
Minor update from 1.1.0 to 1.1.1 to assure compliance with Splunk Cloud security standards.
Updated app to comply with Splunk Cloud security requirements.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.