Splunk Enterprise Security

Using Splunk for Snort, how do I get Snort Alert Fast logs into the Splunk App for Enterprise Security?

Path Finder

I'm a bit stuck with this. This is my situation:

  1. I've installed Snort between the LAN and its GW and all traffic has to go through Snort. This is working perfectly.
  2. Snort has enabled 2 outputs. 1) unified2, used to introduce data into a Snorby and 2) alert_fast to a file. This file is being readed by a splunk UF and sent to the Indexer.
  3. I've installed Splunk for Snort on the indexer receiving Snort alert fast data, it's CIM compliant and should fit into an Enterprise Security environment. I think so at least. As the doc says, this data is being sourcetyped as snort_alert_fast. This app will process it and changes the sourcetype for snort once cim fields have been created. This is working too, I've double-checked it in the search panel.

Now, this is my problem. I can't find any kind of data regarding this in the Enterprise security APP.

  1. In which panel is it supposed to be showing statistics and data from Snort? I guess in any part of the threat menu, but every counter or graph is empty.
  2. How can I check if Snort data is being processes by the Splunk App for Enterprise Security?

Taking advantage of this question, Splunk for ES is not generating any Notable events... I have no clue about this.


Security Domains > Network > Intrusion Center

That should answer both of your questions quickly. The trends at the top, alert severity, alert tables should be populated if the sourcefire TA (CIM compliant) is properly configured and up-to-date.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...