PfSense, Snort and Splunk



  • Hi all,

    Here is a link to a Splunk app that ingests the logs from Snort on a pfSense firewall and provides a graphical display of the threats from the Snort logs:-

    https://splunkbase.splunk.com/app/3470/

    Hope this is helpful.

    fugglefeet


  • Banned

    Sweet, I saw they have a version for suricata as well. Is this something that needs to be running 24/7 either standalone or in a VM or can you just run it as a desktop application and it will pull and process the logs when it's open?



  • Hi pfBasic,

    All that is needed is a Splunk installation and the app is installed on Splunk. I am running it on a standalone Splunk installation and running it 24/7. When Splunk and Snort for Splunk is installed, the app is viewed through any browser that connects to the Splunk server. I haven't tried using Splunk and Snort for Splunk on a VM, but I can't see why it shouldn't be installed on a VM. The setup for the Splunk and Snort for Splunk would be:-

    1.) Install OS of choice (Windows, Linux, Mac OS X, Solaris, FreeBSD(?)). I don't know if there are still versions of Splunk available for FreeBSD.
    2.) Install Splunk Enterprise and get a free licence.
    3.) Connect to the Splunk server via the IP address (eg. 192.168.0.1:8000).
    4.) Install Snort for Splunk from the SplunkBase through the web interface of the Splunk server and start monitoring the Snort logs.

    That's about it.

    Hope this helps.

    fugglefeet.