Splunk Enterprise Security
Highlighted

Using Splunk for Snort, how do I get Snort Alert Fast logs into the Splunk App for Enterprise Security?

Path Finder

I'm a bit stuck with this. This is my situation:

  1. I've installed Snort between the LAN and its GW and all traffic has to go through Snort. This is working perfectly.
  2. Snort has enabled 2 outputs. 1) unified2, used to introduce data into a Snorby and 2) alert_fast to a file. This file is being readed by a splunk UF and sent to the Indexer.
  3. I've installed Splunk for Snort on the indexer receiving Snort alert fast data, it's CIM compliant and should fit into an Enterprise Security environment. I think so at least. As the doc says, this data is being sourcetyped as snortalertfast. This app will process it and changes the sourcetype for snort once cim fields have been created. This is working too, I've double-checked it in the search panel.

Now, this is my problem. I can't find any kind of data regarding this in the Enterprise security APP.

  1. In which panel is it supposed to be showing statistics and data from Snort? I guess in any part of the threat menu, but every counter or graph is empty.
  2. How can I check if Snort data is being processes by the Splunk App for Enterprise Security?

Taking advantage of this question, Splunk for ES is not generating any Notable events... I have no clue about this.

Highlighted

Re: Using Splunk for Snort, how do I get Snort Alert Fast logs into the Splunk App for Enterprise Security?

Communicator

Security Domains > Network > Intrusion Center

That should answer both of your questions quickly. The trends at the top, alert severity, alert tables should be populated if the sourcefire TA (CIM compliant) is properly configured and up-to-date.

0 Karma