https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/90998#M6038 <P>I'm running a bunch of sample test PCAP files through and getting output in Splunk for Snort but the events seem to be kind of random with different dates, destination IP's, etc within a single event. This is probably a dumb question but I'm wondering what categorizes an event in Splunk for Snort could someone give some insight?</P> <P>Thank you</P> <P>EDIT: I see in the opt/splunk/var/lib/splunk/defaultdb/db/ that there are the same number of folders as events. Gives me a little better view of what's happening but not the full picture.</P> Wed, 10 Jul 2013 13:17:47 GMT phillijc 2013-07-10T13:17:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/90998#M6038 <P>I'm running a bunch of sample test PCAP files through and getting output in Splunk for Snort but the events seem to be kind of random with different dates, destination IP's, etc within a single event. This is probably a dumb question but I'm wondering what categorizes an event in Splunk for Snort could someone give some insight?</P> <P>Thank you</P> <P>EDIT: I see in the opt/splunk/var/lib/splunk/defaultdb/db/ that there are the same number of folders as events. Gives me a little better view of what's happening but not the full picture.</P> Wed, 10 Jul 2013 13:17:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/90998#M6038 phillijc 2013-07-10T13:17:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/90999#M6039 <P>Could you please provide much more details about what you're seeing and what you're expecting? It's <EM>very</EM> hard to say something useful without any actual details.</P> <P>An event in Splunk for Snort is pretty much what you would consider to be an event yourself when reading the log files.</P> Sat, 13 Jul 2013 15:51:00 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/90999#M6039 Ayn 2013-07-13T15:51:00Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/91000#M6040 <P>Thank you for your reply. I just thought that with a whole folder of different PCAPs who are proven attacks would trigger more events. Here's a little more info:<BR /> Data inputs monitors a file /var/log/snort/alert<BR /> Source Type: Manual, snort<BR /> Event types, these basically search the classification of the alerts. I'm currently only getting network trojans and the snort-alert (of coarse). I'm thinking my data may just simply be limited: <BR /> - snort-alert <BR /> - snort_dos<BR /> - snort_exploit<BR /> - snort_information_leak<BR /> - snort_login<BR /> - snort_potentially_bad<BR /> - snort_privilege_gain<BR /> - snort_scan<BR /> - snort_trojan</P> Mon, 28 Sep 2020 14:20:32 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/91000#M6040 phillijc 2020-09-28T14:20:32Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/91001#M6041 <P>OK, the main problem I see with your setup is that you have set the sourcetype "snort". As the installation docs for Splunk for Snort state, you need to set either snort_alert_fast for alert_fast format or snort_alert_full for alert_full format. This is because these two need to be parsed differently in order to achieve correct event breaking, and I suspect this is what is causing you problems - events are not breaking properly so event boundaries in Splunk will not correspond to event boundaries in the original log file.</P> Mon, 28 Sep 2020 14:20:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-Snort-Event-Question/m-p/91001#M6041 Ayn 2020-09-28T14:20:40Z