topic Re: How to analyze packet logs generated by Snort ? in All Apps and Add-ons

How to analyze packet logs generated by Snort ?

billcyz — Tue, 28 Jul 2015 03:51:40 GMT

I have some packet logs generated by Snort IDS, and I've forwarded them to Splunk Enterprise by using Universal Forwarder. However, packet logs are not in human readable format. So I want to know can Splunk do decryption of these logs so that I can analyze them?

The following is the format of Snort packet logs:

Are there any methods to analyze this kind of log? Any help would be great.
Thank You.

Re: How to analyze packet logs generated by Snort ?

billcyz — Tue, 28 Jul 2015 04:06:12 GMT

Packet logs format in case of the picture can't show:

07/28-04:49:00.338374 B8:27:EB:A1:E5:78 -> 00:25:64:B8:5E:8A type:0x800 len:0xA6
172.16.50.34:22 -> 172.16.50.2:61909 TCP TTL:64 TOS:0x10 ID:60179 IpLen:20 DgmLen:152 DF
***AP*** Seq: 0x42F74FEC  Ack: 0x3B664E7E  Win: 0x4AD  TcpLen: 20
93 07 67 D7 12 42 05 7A C2 D4 30 F2 09 DD 4A 61  ..g..B.z..0...Ja
1D 7E 80 39 27 54 39 9E 02 10 73 79 76 87 E9 60  .~.9'T9...syv..`
E3 89 10 C3 47 FE EC 06 65 D7 6E DC 2A A5 5C 19  ....G...e.n.*.\.
6A 83 4D 7F F8 4F AF 61 F7 DA 8A 7E D4 2A CC 46  j.M..O.a...~.*.F
C8 92 75 3C 7F 79 3E AA 94 AE 5E 06 91 F2 B4 B1  ..u<.y>...^.....
E8 03 25 3F C8 D3 1F 18 E4 56 7C 24 7E AE 9D 64  ..%?.....V|$~..d
6B C7 F6 F4 4C D0 2F D1 CA A1 E2 DD E8 CF AD A4  k...L./.........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/28-04:49:00.339120 00:25:64:B8:5E:8A -> B8:27:EB:A1:E5:78 type:0x800 len:0x3C
172.16.50.2:61909 -> 172.16.50.34:22 TCP TTL:128 TOS:0x0 ID:21636 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3B664E7E  Ack: 0x42F7505C  Win: 0xFE  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/28-04:49:00.340225 B8:27:EB:A1:E5:78 -> 00:25:64:B8:5E:8A type:0x800 len:0xB6
172.16.50.34:22 -> 172.16.50.2:61909 TCP TTL:64 TOS:0x10 ID:60180 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0x42F7505C  Ack: 0x3B664E7E  Win: 0x4AD  TcpLen: 20
FF 24 3E B6 57 64 7E D5 7B 6C 24 09 5B AC A0 96  .$>.Wd~.{l$.[...
11 A8 4A D1 FE E5 92 48 8D 8F B7 AF FB 50 10 8D  ..J....H.....P..
06 0C 3B 6D 4E 66 0E 25 CD 3D F1 5C 3A ED 3C A3  ..;mNf.%.=.\:.<.
57 DC 09 29 0A 1B B3 76 44 FA CC 35 55 23 AE E0  W..)...vD..5U#..
9F 81 60 60 C2 3C 96 D8 74 69 C0 1E 91 0B A3 68  ..``.<..ti.....h
64 BE D6 3B 44 D7 99 E0 86 74 D7 54 B2 C8 6E 63  d..;D....t.T..nc

Re: How to analyze packet logs generated by Snort ?

jdanij — Tue, 28 Jul 2015 06:14:43 GMT

Hi billcyz,

there should be 2 possibilities here, but I think nowadays Splunk or any APP cannot support any of them.

Decription. It's not easy to do this, only as far as I know, only some HTTPS proxies (Squid: http://wiki.squid-cache.org/Features/SslBump) can do something like a MITM, decript data, generate a self-signed certificate and use some mimic technique to be like the original one. But, still with possibility, I don't know any procedure to take the data out of Squid and analyze the raw data.
Draw a packet in a human readable way, like Wireshark, for example. It's only possible with raw traffic, not SSL. And, anyway, I don't know how can Splunk can do this. I don't know any app or method.

However, in this case you're trying to decipher SecureShell (ssh) traffic. I guess it's not going to be possible. But, regarding Snort, the most straightforward way to get Snot data into Splunk is using Splunk for Snort (https://splunkbase.splunk.com/app/340/ ). It's CIM compliant and will be possible to integrate that info with Splunk App for Enterprise Security.