Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense, Snort and Splunk

    IDS/IPS
    2
    3
    5142
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fugglefeet last edited by

      Hi all,

      Here is a link to a Splunk app that ingests the logs from Snort on a pfSense firewall and provides a graphical display of the threats from the Snort logs:-

      https://splunkbase.splunk.com/app/3470/

      Hope this is helpful.

      fugglefeet

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned last edited by

        Sweet, I saw they have a version for suricata as well. Is this something that needs to be running 24/7 either standalone or in a VM or can you just run it as a desktop application and it will pull and process the logs when it's open?

        1 Reply Last reply Reply Quote 0
        • F
          fugglefeet last edited by

          Hi pfBasic,

          All that is needed is a Splunk installation and the app is installed on Splunk. I am running it on a standalone Splunk installation and running it 24/7. When Splunk and Snort for Splunk is installed, the app is viewed through any browser that connects to the Splunk server. I haven't tried using Splunk and Snort for Splunk on a VM, but I can't see why it shouldn't be installed on a VM. The setup for the Splunk and Snort for Splunk would be:-

          1.) Install OS of choice (Windows, Linux, Mac OS X, Solaris, FreeBSD(?)). I don't know if there are still versions of Splunk available for FreeBSD.
          2.) Install Splunk Enterprise and get a free licence.
          3.) Connect to the Splunk server via the IP address (eg. 192.168.0.1:8000).
          4.) Install Snort for Splunk from the SplunkBase through the web interface of the Splunk server and start monitoring the Snort logs.

          That's about it.

          Hope this helps.

          fugglefeet.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post