[Snort-users] Snort on Splunk

Craig Merchant cmerchant at ...16022...
Wed Apr 10 20:23:07 EDT 2013


We use redBorder's IDS management solution, which is basically Snort + Snorby + a rule/configuration management system.  It's pretty slick (and free).

Our sensors send IDS events to Splunk via syslog.  I tried using TCP for the transport, but kept running into problems with line breaking during high volumes of events.  Splunk support couldn't figure it out either.  Using UDP solved that problem.

We also download a number of the CVE reference maps from:  http://cve.mitre.org/data/refs/refmap/

By indexing our Nessus plugins and reports, plus several reference maps (like OSVDB, Bugtraq, Exploit-DB), it's pretty easy to come up with a complete list of CVE IDs associated with a particular vulnerability and Snort event.  Correlating IDS events with open vulnerabilities is an easy way to filter out the noise without a huge amount of rule tuning.

If you need an example of the syslog config in Snort, let me know.

Craig

From: Greg Williams [mailto:gwillia5 at ...15920...]
Sent: Wednesday, April 10, 2013 3:05 PM
To: Josh Bitto; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort on Splunk

Yes, you can forward your data to Splunk.  Install a universal forwarder on pfsense and output just your fast alerts to a file.  Alternatively you can also use Splunk for Snort, but I rarely use it, mainly automated alerting through Splunk through searches.

Greg Williams
From: Josh Bitto [mailto:jbitto at ...16055...]
Sent: Wednesday, April 10, 2013 3:51 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] Snort on Splunk

I had a general question if anyone knew off hand. If I run pfsense with snort as an installed package could those logs be sent via syslog to a splunk server? Or does snort have to be installed on a box by itself?



Josh


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130411/1d4713d0/attachment.html>


More information about the Snort-users mailing list