All Apps and Add-ons
Highlighted

Splunk for Snort not giving me good logs

Explorer

Hey guys, looking for your guidance. I am currently trying to set up Snort version 2.9.15 on a standalone VM. I followed the guide on the official Snort site to install that version of Snort with Barnyard2 and PulledPork on Ubuntu Server 16.04. This process went well and works.

My issue comes in when forwarding logs to my Splunk server. Logs do reach my server, but they are just jargon. I have a local.rules file that has an ICMP test rule inside so I can test this config, and it does work on the Snort server. Below is a snippet of the logs I get:

/var/log/snort\x00\x00\x00\x00\x00\x00\x00\x00\x00...
(goes on and on)
Picture: https://imgur.com/a/CzOWni9

I added a props.conf file to my /opt/splunkforwarder/etc/system/local directory (On my Snort server) that is below since originally I was getting no logs toward my Splunk server until I added the following:

NO_BINARY_CHECK=true
CHARSET=AUTO

I recently removed this file as a troubleshooting step and I was getting errors in my /var/log/messages that files were not sending due to them being binary (which I also got before). Introducing this props.conf file on my Snort server with the above options set does get logs to my Splunk server, but they aren't readable.

Below is my inputs.conf:

 [default]
    host = piggy
    [monitor:///var/log/snort]
    disabled=false
    index=main
    sourcetype=snort_alert_full
    source=snort

And below is my outputs.conf:

[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.1.210:9997
[tcpout-server://192.168.1.210:9997]

I am using the Splunk For Snort App in Splunk, and I would like to normal logs in my Splunk to practice. Without props.conf Splunk blocks those jargon files from being created. I have a feeling it has something to do with Barnyard2, since its purpose is to use those u2 files and make them into something, but there are no files in /var/log/barnyard2. How can I get normal log files that I can see from the console (if I tested it that way) into Splunk itself?

Thank you!

0 Karma
Highlighted

Re: Splunk for Snort not giving me good logs

SplunkTrust
SplunkTrust

I think, as per this post on the problem which says Barnyard2 is rather complex to set up, that it's your Barnyard2 configuration that's wrong. Also because it fits with the symptoms you are seeing.
https://stackoverflow.com/questions/3477081/how-to-view-snort-log-files

Now, assuming the Snort files are in that unified format (and not in tcpdump format - see that link above), and that you have set up barnyard2 but that barnyard2 isn't actually creating files for Splunk to pick up, then ...?

This isn't quite really a Splunk problem. I'm not sure if you'll get any great answers here, but hopefully this will point you in the right directions to fix it or give you more information you can use to ask in a snort or barnyard2 set of forums.

There are a couple of examples at the bottom of the barnyard2 man pages:
https://github.com/firnsy/barnyard2

The last part about "Testing" in the link below also gives an example:
https://www.vultr.com/docs/setup-barnyard-2-with-snort

Otherwise, I wish you well but I think you'll get better answers from reading through your favorite search engine's results for "barnyard2 help", or barnyard2's or snort's forums.

Do let us know what you find out, though! It would be a great help to anyone else who has this same or a similar question/problem!

Happy Splunking,
Rich

Highlighted

Re: Splunk for Snort not giving me good logs

Explorer

Sorry for the long delay, I wanted to make sure everything was working before I posted what I did.

The solution I used renders Barnyard2 useless, as the alerts get written to /var/log/snort as a readable file versus to the MySQL database. If you're looking on how to set that up correctly, I'm sorry as this answer won't help with that.

This is a lab of mine at home, so all I wanted were Snort alerts to get into Splunk. I didn't care how it was done, as long as it was in there since I don't plan on keeping this specific install active. Anyway, I found the answer I was looking for in a Google Group, which I'll post below:

https://groups.google.com/forum/#!topic/security-onion/b8QTpzAMhMY

In the event the group gets deleted, I copied the answer below:


finally I can help someone here! I'm doing this now...

Download the universal forwarder from splunk. Make sure you get the appropriate one! Install it on your seconion box. It will install to /opt/splunkforwarder/

In your snort.conf file,
make sure you have:

output alert_full: alert.full

Restart Snort to push changes
alert.full will be in your config logdir:/somepath

In your splunk config files,

/opt/splunkforwarder/etc/system/local$ cat inputs.conf
[monitor:///pathto/alert.full]
index = anindexnamethatmakessincetoyouonyoursplunkSERVER
followTail = 1
sourcetype = snort
alert_full

/opt/splunkforwarder/etc/system/local$ cat outputs.conf
[tcpout]
defaultGroup=my_indexers

[tcpout:myindexers]
server=ip.address.of.splunkServer:port
youarelisteningon
[tcpout-server://ip.address.of.splunkServer:port
youarelistening_on]

restart your splunk forwarder

/opt/splunkforwarder/bin/splunk restart

I'll keep an eye on this post incase you have problems.


Also note: I threw Snort/Barnyard2/PulledPork on an Ubuntu Server 16 VM, so I ignored the seconion stuff of the post above.

Hope this helps someone in the future!

View solution in original post

0 Karma
Highlighted

Re: Splunk for Snort not giving me good logs

SplunkTrust
SplunkTrust

@96nick If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma