Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Snort -> Unified2 -> Barnyard2 -> Local-Syslog -> Splunk

848 views
Skip to first unread message

Paul Sarone

unread,
Sep 25, 2009, 3:51:26 AM9/25/09
to
Hello folks,

I’m using a setup according to the topic.

What I basically want is to have my Snort data indexed and searchable
with Splunk. I want it more verbose though.

Running FreeBSD 7.2, Snort (2.8.4.1), Barnyard2 (2.1.6), syslog and
Splunk 4.0.3. Everything is built from the ports system except Splunk.

Interesting parts from the different config files are:

---

snort.conf:

output unified2: filename snort.log, limit 128

---

barnyard2.conf:

input unified2

output alert_syslog: LOG_INFO LOG_LOCAL7

---

/etc/syslog.conf

local7.* @127.0.0.1:1234

---

And finally Splunk is configured to recieve UDP input on port 1234

It works and data is continually building up in the unified file
snort.log.XXXXXXXXX and is shortly visible in Splunk as shown below:

Sep 25 09:19:07 snort[754]: [1:2329:10] MS-SQL probe response overflow
attempt [Classification: Attempted User Privilege Gain] [Priority: 1]:
<em1> {UDP} XXX.XXX.XXX.XXX:45364 -> XXX.XXX.XXX.XXX:1056

Yes, I’m relaying the information from Barnyard2 to Splunk via the
local syslog daemon. I found this to be the only way (am I wrong?).

I wonder how to get the information to be more verbose than just the
basic fields in the above event. I’m pretty sure there is more
information hidden in the unified files but I don’t know how to get
Barnyard to extract it and forward it to syslog and Splunk. Also I see
a lot of interesting mapped information to rules in sid-msg.map that
would be useful to have in the output. I seem only to get the "msg"
and "classtype" fields from the rule-file, no bugtraq references or
other useful stuff.

Any help is appreciated

Thanks

Paul

aro...@insecure-it.com

unread,
Feb 5, 2013, 3:51:57 PM2/5/13
to
Hello Paul,
I used alert_full in the output. See bellow.


# alert_fast
#-----------------------------
# Purpose: Converts data to an approximation of Snort's "fast alert" mode.
#
# Arguments: file <file>, stdout
# arguments should be comma delimited.
# file - specifiy alert file
# stdout - no alert file, just print to screen
#
# Examples:
# output alert_fast
# output alert_fast: stdout
#
# output alert_fast: stdout

output alert_full: /var/log/snort/alert

And I've installed the splunk forwarder to forward this alert file, reading it with the snort app for splunk.


vi /opt/splunkforwarder/etc/system/local/inputs.conf


[default]
host = snort.XXXX.com

[monitor:///var/log/snort/alert]

disabled = false

index = snort_ips

sourcetype = snort_alert_full


Seems to work well for me.
0 new messages