All Apps and Add-ons

Splunk for Snort Event Question

phillijc
New Member

I'm running a bunch of sample test PCAP files through and getting output in Splunk for Snort but the events seem to be kind of random with different dates, destination IP's, etc within a single event. This is probably a dumb question but I'm wondering what categorizes an event in Splunk for Snort could someone give some insight?

Thank you

EDIT: I see in the opt/splunk/var/lib/splunk/defaultdb/db/ that there are the same number of folders as events. Gives me a little better view of what's happening but not the full picture.

Tags (1)
0 Karma

Ayn
Legend

OK, the main problem I see with your setup is that you have set the sourcetype "snort". As the installation docs for Splunk for Snort state, you need to set either snort_alert_fast for alert_fast format or snort_alert_full for alert_full format. This is because these two need to be parsed differently in order to achieve correct event breaking, and I suspect this is what is causing you problems - events are not breaking properly so event boundaries in Splunk will not correspond to event boundaries in the original log file.

phillijc
New Member

Thank you for your reply. I just thought that with a whole folder of different PCAPs who are proven attacks would trigger more events. Here's a little more info:
Data inputs monitors a file /var/log/snort/alert
Source Type: Manual, snort
Event types, these basically search the classification of the alerts. I'm currently only getting network trojans and the snort-alert (of coarse). I'm thinking my data may just simply be limited:
- snort-alert
- snort_dos
- snort_exploit
- snort_information_leak
- snort_login
- snort_potentially_bad
- snort_privilege_gain
- snort_scan
- snort_trojan

0 Karma

Ayn
Legend

Could you please provide much more details about what you're seeing and what you're expecting? It's very hard to say something useful without any actual details.

An event in Splunk for Snort is pretty much what you would consider to be an event yourself when reading the log files.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...