Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I parse Snort logs from pfsense syslog?

TribanMD
New Member
‎01-17-2013 07:09 PM

I was able to set Splunk up to configure the reports for the pfsense firewall logs. But I would also like to create a similar report for just the snort logs. Right now they are being set into the pfsense system log. I can view them by just using the keyword "snort" in the search on the specific source, but I would like to parse out the fields as well. I would like to then try throwing that data into the Google Maps App. Any ideas?

Ok, so the logs are showing up in Splunk from pfsense in the following format:

(snort log alet)

Jan 19 10:53:25 SplunkSourceHost Jan 19 10:53:24 snort[61858]: [120:6:1] (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED [Classification: Unknown Traffic] [Priority: 3] {TCP} SRC_IP:PRT -> DST_IP:PORT

Santized, so after the SplunkSourceHost is the log from pfsense. In this case it is the log from the snort service in pfsense. Firewall logs look like this:

(pfSense firewall block)

Jan 19 15:34:29 SplunkSourceHost Jan 19 15:34:28 pf: 00:00:10.461152 rule 1/0(match): block in on em0: (tos 0x20, ttl 95, id 256, offset 0, flags [none], proto TCP (6), length 40)
Jan 19 15:34:29 SplunkSourceHost Jan 19 15:34:28 pf:     SRC_IP.PORT > DST_IP.PORT: Flags [S], cksum 0x4302 (correct), seq 1609564160, win 16384, length 0

I used the guide here http://www.seattleit.net/blog/tag/pfsense/ to configure the transforms and props files. I imagine I would need to do something similar to format the snort logs. Just not sure how.

Thanks for any help you can provide.

Tags (1)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎05-05-2013 01:04 PM

Add the following to your configuration files for pfsense:

------- transforms.conf

###### snort ######

[force_sourcetype_for_snort]
DEST_KEY = MetaData:Sourcetype
REGEX = \w+\s+\d+\s+\d+\:\d+\:\d+\s+[^\s]+\s+snort\[\d+\]\:
FORMAT = sourcetype::snort

[category_for_snort]
REGEX = Classification\:\s+([^\]]+)
FORMAT = category::"$1"

[dest_ip_for_snort]
REGEX = \-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FORMAT = dest_ip::$1

[dest_port_for_snort]
REGEX = \-\>\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)
FORMAT = dest_port::$1

[pid_for_snort]
REGEX = snort\[(\d+)
FORMAT = pid::$1

[severity_id_for_snort]
REGEX = Priority\:\s+(\d+)
FORMAT = severity_id::$1

[signature_for_snort]
REGEX = snort\[\d+\]\:\s+\[[^\]]+\]\s+(.*?)(\s+\[Classification|\[Priority)
FORMAT = signature::"$1"

[signature_id_for_snort]
REGEX = snort\[\d+\]\:\s+\[([^\]]+)
FORMAT = signature_id::"$1"

[src_ip_for_snort]
REGEX = \{\w+\}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FORMAT = src_ip::$1

[src_port_for_snort]
REGEX = \{\w+\}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)
FORMAT = src_port::$1

[transport_for_snort]
REGEX = \{([^\}]+)
FORMAT = transport::$1

------- props.conf

[source::udp:514]  # --- May need to change this source, depending on how you're collecting the data
TRANSFORMS-force_sourcetype_for_snort = force_sourcetype_for_snort

[snort]
SHOULD_LINEMERGE=false
REPORT-category_for_snort = category_for_snort
REPORT-dest_ip_for_snort = dest_ip_for_snort
REPORT-dest_port_for_snort = dest_port_for_snort
REPORT-pid_for_snort = pid_for_snort
REPORT-0severity_id_for_snort = severity_id_for_snort
REPORT-signature_for_snort = signature_for_snort
REPORT-signature_id_for_snort = signature_id_for_snort
REPORT-src_ip_for_snort = src_ip_for_snort
REPORT-src_port_for_snort = src_port_for_snort
REPORT-transport_for_snort = transport_for_snort
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎05-06-2013 07:36 PM

Do you have Splunk listening on port 514? If so, the first stanza in props.conf should force the sourcetype of snort on just the snort logs from the input.

0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎05-06-2013 07:21 PM

Yep, you're right. I just changed them around.

0 Karma
Reply

TribanMD
New Member
‎05-06-2013 07:06 PM

Are the confs reversed? My current props has the reports/transforms data while my Transforms has the regexs and such (for the pfsense-firewall sources). Also another problem is that I can't seem to send pfsense snort data separately, all or nothing. so all logs come over syslog from pfsense. Otherwise I can use the Snort for Splunk app.

0 Karma
Reply

TribanMD
New Member
‎01-20-2013 04:29 PM

posted, let me know if you are looking for something different. Thanks!

0 Karma
Reply

Ayn
Legend
‎01-17-2013 11:50 PM

Log samples please?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...