PfSense, Snort and Splunk
-
Hi all,
Here is a link to a Splunk app that ingests the logs from Snort on a pfSense firewall and provides a graphical display of the threats from the Snort logs:-
https://splunkbase.splunk.com/app/3470/
Hope this is helpful.
fugglefeet
-
Sweet, I saw they have a version for suricata as well. Is this something that needs to be running 24/7 either standalone or in a VM or can you just run it as a desktop application and it will pull and process the logs when it's open?
-
Hi pfBasic,
All that is needed is a Splunk installation and the app is installed on Splunk. I am running it on a standalone Splunk installation and running it 24/7. When Splunk and Snort for Splunk is installed, the app is viewed through any browser that connects to the Splunk server. I haven't tried using Splunk and Snort for Splunk on a VM, but I can't see why it shouldn't be installed on a VM. The setup for the Splunk and Snort for Splunk would be:-
1.) Install OS of choice (Windows, Linux, Mac OS X, Solaris, FreeBSD(?)). I don't know if there are still versions of Splunk available for FreeBSD.
2.) Install Splunk Enterprise and get a free licence.
3.) Connect to the Splunk server via the IP address (eg. 192.168.0.1:8000).
4.) Install Snort for Splunk from the SplunkBase through the web interface of the Splunk server and start monitoring the Snort logs.That's about it.
Hope this helps.
fugglefeet.