Sunday, May 3, 2015

PFSense + Splunk - Security on the cheap - Parsing Snort Logs


Continuing with the Splunk dashboards, let's add a panel for parsed Snort logs

A Snort alert message looks as follows:
Apr 22 16:33:30 192.168.0.1 Apr 22 20:33:03 snort[64690]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.0.11:49917 -> 72.251.227.249:80

To build out our Snort Monitoring Panel, the following search filter will be used:

host="192.168.0.1" snort NOT "/usr/sbin/cron" | rex field=_raw "\ssnort\[[0-9]*\]:\s\[(?<snort_sid>[0-9:].*?)\]\s\((?<snort_preprocessor>.*)\)\s(?<snort_message>.*)\[Classification:\s(?<snort_classification>.*)\]\s\[Priority:\s(?<snort_priority>[0-9]{1})\]\s\{(?<snort_protocol>.*)\}\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_port>[0-9].*?)\s\-\>\s(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<d_port>[0-9].*)" | stats count by snort_sid, snort_preprocessor, snort_message,  snort_classification, snort_priority, snort_protocol, src_ip, src_port, dest_ip, d_port | sort snort_priority

Results from our search



Why would this information be helpful? If you are using a centralize dashboard for all your security monitoring, the panel can give you the insight as to what is going on in your network. You can then go directly to your Snort device to dig a bit deeper or to perform further analysis.

Hope you find this helpful and see you in the post on Parsing of ARPWatch Logs

In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs


2 comments:

  1. Hi Nik ,
    it seems the above parsing doesnt work anymore , can you please confirm ?

    ReplyDelete
    Replies
    1. Hmmm interesting. Send me a sample log let me see if I can parse it for you. I don't use PFSense anymore.

      Delete