All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Snort field extractions not functioning

donaldwayne1975
Path Finder
‎09-16-2019 08:31 AM

Having issues with Splunk extracting the fields from Snort events being forwarded to Universal Forwarders. UF is configured to receive events on UDP 514 as soucetype=snort. The scenario is as follows:

Snort sensor--(sends event UDP 514)-->Splunk UF---(sends event TCP 9997)-->Splunk Indexers
Environment: Splunk v 7.3.1
Snort for Splunk is on the UF, SH, and Indexers.

Raw event

Sep 16 11:37:04 %REDACTED_IP% 2019-09-16T07:37:04.291385-04:00 SystemX ids_alerts - - [ids_alerts@52391.1 msg="ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 1" pad2="0" appid="" impact="0" blocked="0" vlan-id="0" event-id="210" priority="2" protocol="6" sensor-id="SystemX" source-ip="%REDACTED_IP%" mpls-label="0" dport-icode="22" impact-flag="0" sport-itype="54974" event-second="1568633823" generator-id="1" signature-id="2500000" classification="Misc Attack" destination-ip="%REDACTED_IP%" sensor-interface="WAN Ethernet Port" classification-id="30" event-microsecond="302356" signature-revision="5175" _id="4904" _timestamp="2019-09-16 07:37:04.224183" _source="SystemX"] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 1

Screenshot from Splunk of field extractions. Yes, verbose is set and app permissions are set to globally with all apps.

alt text
What am I doing wrong?

Preview file
12 KB
0 Karma
Reply

donaldwayne1975
Path Finder
‎03-19-2020 02:38 PM

event data was not in "true" snort format. data fields were cooked with different field names. had to create custom mappings to make it function properly.

0 Karma
Reply

donaldwayne1975
Path Finder
‎03-19-2020 02:38 PM

event data was not in "true" snort format. data fields were cooked with different field names. had to create custom mappings to make it function properly.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...