- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk for Snort not giving me good logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys, looking for your guidance. I am currently trying to set up Snort version 2.9.15 on a standalone VM. I followed the guide on the official Snort site to install that version of Snort with Barnyard2 and PulledPork on Ubuntu Server 16.04. This process went well and works.
My issue comes in when forwarding logs to my Splunk server. Logs do reach my server, but they are just jargon. I have a local.rules file that has an ICMP test rule inside so I can test this config, and it does work on the Snort server. Below is a snippet of the logs I get:
/var/log/snort\x00\x00\x00\x00\x00\x00\x00\x00\x00...
(goes on and on)
Picture: https://imgur.com/a/CzOWni9
I added a props.conf file to my /opt/splunkforwarder/etc/system/local directory (On my Snort server) that is below since originally I was getting no logs toward my Splunk server until I added the following:
NO_BINARY_CHECK=true
CHARSET=AUTO
I recently removed this file as a troubleshooting step and I was getting errors in my /var/log/messages that files were not sending due to them being binary (which I also got before). Introducing this props.conf file on my Snort server with the above options set does get logs to my Splunk server, but they aren't readable.
Below is my inputs.conf:
[default]
host = piggy
[monitor:///var/log/snort]
disabled=false
index=main
sourcetype=snort_alert_full
source=snort
And below is my outputs.conf:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.1.210:9997
[tcpout-server://192.168.1.210:9997]
I am using the Splunk For Snort App in Splunk, and I would like to normal logs in my Splunk to practice. Without props.conf Splunk blocks those jargon files from being created. I have a feeling it has something to do with Barnyard2, since its purpose is to use those u2 files and make them into something, but there are no files in /var/log/barnyard2. How can I get normal log files that I can see from the console (if I tested it that way) into Splunk itself?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the long delay, I wanted to make sure everything was working before I posted what I did.
The solution I used renders Barnyard2 useless, as the alerts get written to /var/log/snort as a readable file versus to the MySQL database. If you're looking on how to set that up correctly, I'm sorry as this answer won't help with that.
This is a lab of mine at home, so all I wanted were Snort alerts to get into Splunk. I didn't care how it was done, as long as it was in there since I don't plan on keeping this specific install active. Anyway, I found the answer I was looking for in a Google Group, which I'll post below:
https://groups.google.com/forum/#!topic/security-onion/b8QTpzAMhMY
In the event the group gets deleted, I copied the answer below:
finally I can help someone here! I'm doing this now...
Download the universal forwarder from splunk. Make sure you get the appropriate one! Install it on your seconion box. It will install to /opt/splunkforwarder/
In your snort.conf file,
make sure you have:
output alert_full: alert.full
Restart Snort to push changes
alert.full will be in your config logdir:/somepath
In your splunk config files,
/opt/splunkforwarder/etc/system/local$ cat inputs.conf
[monitor:///pathto/alert.full]
index = an_indexname_that_makes_since_to_you_on_your_splunkSERVER
followTail = 1
sourcetype = snort_alert_full
/opt/splunkforwarder/etc/system/local$ cat outputs.conf
[tcpout]
defaultGroup=my_indexers
[tcpout:my_indexers]
server=ip.address.of.splunkServer:port_you_are_listening_on
[tcpout-server://ip.address.of.splunkServer:port_you_are_listening_on]
restart your splunk forwarder
/opt/splunkforwarder/bin/splunk restart
I'll keep an eye on this post incase you have problems.
Also note: I threw Snort/Barnyard2/PulledPork on an Ubuntu Server 16 VM, so I ignored the seconion stuff of the post above.
Hope this helps someone in the future!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the long delay, I wanted to make sure everything was working before I posted what I did.
The solution I used renders Barnyard2 useless, as the alerts get written to /var/log/snort as a readable file versus to the MySQL database. If you're looking on how to set that up correctly, I'm sorry as this answer won't help with that.
This is a lab of mine at home, so all I wanted were Snort alerts to get into Splunk. I didn't care how it was done, as long as it was in there since I don't plan on keeping this specific install active. Anyway, I found the answer I was looking for in a Google Group, which I'll post below:
https://groups.google.com/forum/#!topic/security-onion/b8QTpzAMhMY
In the event the group gets deleted, I copied the answer below:
finally I can help someone here! I'm doing this now...
Download the universal forwarder from splunk. Make sure you get the appropriate one! Install it on your seconion box. It will install to /opt/splunkforwarder/
In your snort.conf file,
make sure you have:
output alert_full: alert.full
Restart Snort to push changes
alert.full will be in your config logdir:/somepath
In your splunk config files,
/opt/splunkforwarder/etc/system/local$ cat inputs.conf
[monitor:///pathto/alert.full]
index = an_indexname_that_makes_since_to_you_on_your_splunkSERVER
followTail = 1
sourcetype = snort_alert_full
/opt/splunkforwarder/etc/system/local$ cat outputs.conf
[tcpout]
defaultGroup=my_indexers
[tcpout:my_indexers]
server=ip.address.of.splunkServer:port_you_are_listening_on
[tcpout-server://ip.address.of.splunkServer:port_you_are_listening_on]
restart your splunk forwarder
/opt/splunkforwarder/bin/splunk restart
I'll keep an eye on this post incase you have problems.
Also note: I threw Snort/Barnyard2/PulledPork on an Ubuntu Server 16 VM, so I ignored the seconion stuff of the post above.
Hope this helps someone in the future!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@96nick If your problem is resolved, please accept an answer to help future readers.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think, as per this post on the problem which says Barnyard2 is rather complex to set up, that it's your Barnyard2 configuration that's wrong. Also because it fits with the symptoms you are seeing.
https://stackoverflow.com/questions/3477081/how-to-view-snort-log-files
Now, assuming the Snort files are in that unified format (and not in tcpdump format - see that link above), and that you have set up barnyard2 but that barnyard2 isn't actually creating files for Splunk to pick up, then ...?
This isn't quite really a Splunk problem. I'm not sure if you'll get any great answers here, but hopefully this will point you in the right directions to fix it or give you more information you can use to ask in a snort or barnyard2 set of forums.
There are a couple of examples at the bottom of the barnyard2 man pages:
https://github.com/firnsy/barnyard2
The last part about "Testing" in the link below also gives an example:
https://www.vultr.com/docs/setup-barnyard-2-with-snort
Otherwise, I wish you well but I think you'll get better answers from reading through your favorite search engine's results for "barnyard2 help", or barnyard2's or snort's forums.
Do let us know what you find out, though! It would be a great help to anyone else who has this same or a similar question/problem!
Happy Splunking,
Rich
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
