Logging Snort3/Barnyard2 to Splunk?



  • Greetings,

    I'm in the process of standing up a Splunk instance and learning the platform. I could use some assistance and guidance in digesting the data from Snort so I'm hoping a community member that has some dashboards set up for it could assist me.

    I've gotten PFSense itself taken care of and digesting data via the T&A for PFSense so that fields are properly categorized. I've then been using the HomeMonitor App as a crutch while I learn how Splunk dashboards and searches are put together.

    I've been having issues extracting fields from the data being provided by Snort3 (Via Barnyard2) into Splunk.
    Using the Snort3 Json app has allowed me to get some useful fields from the data but It's not extracting the Source and Destination data. I've tried playing around with it some but am having difficulty with the format, E.G. the data seems to come in as such. SRC_IP > DEST_IP. I'm however not too familiar with regex yet.

    Could someone who's logging their Snort data to splunk please share how they have things setup?
    I'm most interested in getting the following field info.

    • Alert Source
    • Alert Category
    • Alert Severity
    • Alert Source_IP
    • Alert Destination_IP
    • Alert Source_Port
    • Alert Destination_Port

    Thanks!



  • This post is deleted!


  • I'm getting the data into Splunk but am having a rather difficult time getting fields set, Emerging Threats have been easy to create a regex for using the wizard but the Snort alerts have been throwing a monkeywrench into that by there being an additional, duplicate field in the "Snort Alerts"
    https://imgur.com/a/yV0kjbL


Log in to reply