PfSense, Snort and Splunk



  • Hi all,

    Here is a link to a Splunk app that ingests the logs from Snort on a pfSense firewall and provides a graphical display of the threats from the Snort logs:-

    https://splunkbase.splunk.com/app/3470/

    Hope this is helpful.

    fugglefeet


  • Banned

    Sweet, I saw they have a version for suricata as well. Is this something that needs to be running 24/7 either standalone or in a VM or can you just run it as a desktop application and it will pull and process the logs when it's open?



  • Hi pfBasic,

    All that is needed is a Splunk installation and the app is installed on Splunk. I am running it on a standalone Splunk installation and running it 24/7. When Splunk and Snort for Splunk is installed, the app is viewed through any browser that connects to the Splunk server. I haven't tried using Splunk and Snort for Splunk on a VM, but I can't see why it shouldn't be installed on a VM. The setup for the Splunk and Snort for Splunk would be:-

    1.) Install OS of choice (Windows, Linux, Mac OS X, Solaris, FreeBSD(?)). I don't know if there are still versions of Splunk available for FreeBSD.
    2.) Install Splunk Enterprise and get a free licence.
    3.) Connect to the Splunk server via the IP address (eg. 192.168.0.1:8000).
    4.) Install Snort for Splunk from the SplunkBase through the web interface of the Splunk server and start monitoring the Snort logs.

    That's about it.

    Hope this helps.

    fugglefeet.


Log in to reply