All Apps and Add-ons

Why is Splunk for Snort only displaying data from 12AM to 1AM?

rbt111
Explorer

OK I am not crazy here I've seen this on two different machines that I've been running SplunkforSnort on.

I set up the devices to pull from the '/var/log/snort/alert' log on the box and give them a manual sourcetype of 'snort'. When I first set both boxes up things worked great. Then after about 5-7 days the application exihibits a strange behavior. It only displays the data from 12am to 1am. Has anyone else experienced this?

When I tail -f the log file I see snort alerts coming in and even when I set SplunkforSnort to 1min realtime I see the number of scanned events increase but the results shows as zero.

I am using snort 2.9.0.4 and Splunk 4.2.3 if that helps.

0 Karma
1 Solution

rbt111
Explorer

Thank you for your assistance Ayn.

I see what is going on now my timestamp got messed up.

Example I'm showing

2/19/11
7:22:19.445 PM

For an alert @ 11/02-19:22:19.445432

It looks like I may need to modify something in props.conf but I'm not 100% sure.

View solution in original post

rbt111
Explorer

Thank you for your assistance Ayn.

I see what is going on now my timestamp got messed up.

Example I'm showing

2/19/11
7:22:19.445 PM

For an alert @ 11/02-19:22:19.445432

It looks like I may need to modify something in props.conf but I'm not 100% sure.

Ayn
Legend

Excellent. Do let me know if you have any more questions, comments or suggestions regarding the Snort app (I wrote it), and please vote it up if you find it useful 🙂

Also please mark my (or your) answer as accepted so it shows clearly on the site that this question is closed.

0 Karma

jbyrge0
Engager

For an alert @ 11/02-19:22:19.445432

What is the .445432 part of that alert? is it milliseconds?

0 Karma

rbt111
Explorer

OK it appears to be working now. Just a simple matter of using the snort command with -y to include the year in the logs.

0 Karma

Ayn
Legend

Splunk for Snort relies on a number of field extractions to work. If you manually search for sourcetype="snort" in the default search app, do you get results with both correct timestamps and correct field extractions, for instance do you see the "src_ip" and "signature" fields to the left?

0 Karma

Ayn
Legend

If there are no matching events you're having a problem getting the snort events into Splunk. The scanned events you're seeing that is incrementing is simply ALL events in Splunk's index. If no events with sourcetype "snort" are found, it's because no such events exist in the index. Check your input.

rbt111
Explorer

I went to the default search app and entered sourcetype="snort" as you specified. It appears to be showing the same thing that the SplunkforSnort app shows meaning I can see scanned events incrementing but the number of matching events remains at zero. I do not see any of the field extractions in the left column with Field Discovery in the on position.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...