Sunday, May 3, 2015

PFSense + Splunk - Security on the cheap - Parsing Snort Logs


Continuing with the Splunk dashboards, let's add a panel for parsed Snort logs

A Snort alert message looks as follows:
Apr 22 16:33:30 192.168.0.1 Apr 22 20:33:03 snort[64690]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.0.11:49917 -> 72.251.227.249:80

To build out our Snort Monitoring Panel, the following search filter will be used:

host="192.168.0.1" snort NOT "/usr/sbin/cron" | rex field=_raw "\ssnort\[[0-9]*\]:\s\[(?<snort_sid>[0-9:].*?)\]\s\((?<snort_preprocessor>.*)\)\s(?<snort_message>.*)\[Classification:\s(?<snort_classification>.*)\]\s\[Priority:\s(?<snort_priority>[0-9]{1})\]\s\{(?<snort_protocol>.*)\}\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_port>[0-9].*?)\s\-\>\s(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<d_port>[0-9].*)" | stats count by snort_sid, snort_preprocessor, snort_message,  snort_classification, snort_priority, snort_protocol, src_ip, src_port, dest_ip, d_port | sort snort_priority

Results from our search



Why would this information be helpful? If you are using a centralize dashboard for all your security monitoring, the panel can give you the insight as to what is going on in your network. You can then go directly to your Snort device to dig a bit deeper or to perform further analysis.

Hope you find this helpful and see you in the post on Parsing of ARPWatch Logs

In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs


2 comments:

  1. interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts,Thanks a million once again, Regards,servicenow training in hyderabad ,splunk training in hyderabad , cornish hen recipe

    ReplyDelete
  2. Nasreen,
    Thanks for the comment. I'm glad you were able to find just the kind of information you were looking for on my blog.

    ReplyDelete