All Apps and Add-ons

How to analyze packet logs generated by Snort ?

billcyz
Engager

I have some packet logs generated by Snort IDS, and I've forwarded them to Splunk Enterprise by using Universal Forwarder. However, packet logs are not in human readable format. So I want to know can Splunk do decryption of these logs so that I can analyze them?

The following is the format of Snort packet logs:
alt text

Are there any methods to analyze this kind of log? Any help would be great.
Thank You.

0 Karma
1 Solution

jdanij
Path Finder

Hi billcyz,

there should be 2 possibilities here, but I think nowadays Splunk or any APP cannot support any of them.

  1. Decription. It's not easy to do this, only as far as I know, only some HTTPS proxies (Squid: http://wiki.squid-cache.org/Features/SslBump) can do something like a MITM, decript data, generate a self-signed certificate and use some mimic technique to be like the original one. But, still with possibility, I don't know any procedure to take the data out of Squid and analyze the raw data.
  2. Draw a packet in a human readable way, like Wireshark, for example. It's only possible with raw traffic, not SSL. And, anyway, I don't know how can Splunk can do this. I don't know any app or method.

However, in this case you're trying to decipher SecureShell (ssh) traffic. I guess it's not going to be possible. But, regarding Snort, the most straightforward way to get Snot data into Splunk is using Splunk for Snort (https://splunkbase.splunk.com/app/340/ ). It's CIM compliant and will be possible to integrate that info with Splunk App for Enterprise Security.

View solution in original post

jdanij
Path Finder

Hi billcyz,

there should be 2 possibilities here, but I think nowadays Splunk or any APP cannot support any of them.

  1. Decription. It's not easy to do this, only as far as I know, only some HTTPS proxies (Squid: http://wiki.squid-cache.org/Features/SslBump) can do something like a MITM, decript data, generate a self-signed certificate and use some mimic technique to be like the original one. But, still with possibility, I don't know any procedure to take the data out of Squid and analyze the raw data.
  2. Draw a packet in a human readable way, like Wireshark, for example. It's only possible with raw traffic, not SSL. And, anyway, I don't know how can Splunk can do this. I don't know any app or method.

However, in this case you're trying to decipher SecureShell (ssh) traffic. I guess it's not going to be possible. But, regarding Snort, the most straightforward way to get Snot data into Splunk is using Splunk for Snort (https://splunkbase.splunk.com/app/340/ ). It's CIM compliant and will be possible to integrate that info with Splunk App for Enterprise Security.

View solution in original post

billcyz
Engager

Packet logs format in case of the picture can't show:

07/28-04:49:00.338374 B8:27:EB:A1:E5:78 -> 00:25:64:B8:5E:8A type:0x800 len:0xA6
172.16.50.34:22 -> 172.16.50.2:61909 TCP TTL:64 TOS:0x10 ID:60179 IpLen:20 DgmLen:152 DF
***AP*** Seq: 0x42F74FEC  Ack: 0x3B664E7E  Win: 0x4AD  TcpLen: 20
93 07 67 D7 12 42 05 7A C2 D4 30 F2 09 DD 4A 61  ..g..B.z..0...Ja
1D 7E 80 39 27 54 39 9E 02 10 73 79 76 87 E9 60  .~.9'T9...syv..`
E3 89 10 C3 47 FE EC 06 65 D7 6E DC 2A A5 5C 19  ....G...e.n.*.\.
6A 83 4D 7F F8 4F AF 61 F7 DA 8A 7E D4 2A CC 46  j.M..O.a...~.*.F
C8 92 75 3C 7F 79 3E AA 94 AE 5E 06 91 F2 B4 B1  ..u<.y>...^.....
E8 03 25 3F C8 D3 1F 18 E4 56 7C 24 7E AE 9D 64  ..%?.....V|$~..d
6B C7 F6 F4 4C D0 2F D1 CA A1 E2 DD E8 CF AD A4  k...L./.........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/28-04:49:00.339120 00:25:64:B8:5E:8A -> B8:27:EB:A1:E5:78 type:0x800 len:0x3C
172.16.50.2:61909 -> 172.16.50.34:22 TCP TTL:128 TOS:0x0 ID:21636 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3B664E7E  Ack: 0x42F7505C  Win: 0xFE  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/28-04:49:00.340225 B8:27:EB:A1:E5:78 -> 00:25:64:B8:5E:8A type:0x800 len:0xB6
172.16.50.34:22 -> 172.16.50.2:61909 TCP TTL:64 TOS:0x10 ID:60180 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0x42F7505C  Ack: 0x3B664E7E  Win: 0x4AD  TcpLen: 20
FF 24 3E B6 57 64 7E D5 7B 6C 24 09 5B AC A0 96  .$>.Wd~.{l$.[...
11 A8 4A D1 FE E5 92 48 8D 8F B7 AF FB 50 10 8D  ..J....H.....P..
06 0C 3B 6D 4E 66 0E 25 CD 3D F1 5C 3A ED 3C A3  ..;mNf.%.=.\:.<.
57 DC 09 29 0A 1B B3 76 44 FA CC 35 55 23 AE E0  W..)...vD..5U#..
9F 81 60 60 C2 3C 96 D8 74 69 C0 1E 91 0B A3 68  ..``.<..ti.....h
64 BE D6 3B 44 D7 99 E0 86 74 D7 54 B2 C8 6E 63  d..;D....t.T..nc
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!