Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Logging Snort3/Barnyard2 to Splunk?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 288 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gawainxx
      last edited by

      Greetings,

      I'm in the process of standing up a Splunk instance and learning the platform. I could use some assistance and guidance in digesting the data from Snort so I'm hoping a community member that has some dashboards set up for it could assist me.

      I've gotten PFSense itself taken care of and digesting data via the T&A for PFSense so that fields are properly categorized. I've then been using the HomeMonitor App as a crutch while I learn how Splunk dashboards and searches are put together.

      I've been having issues extracting fields from the data being provided by Snort3 (Via Barnyard2) into Splunk.
      Using the Snort3 Json app has allowed me to get some useful fields from the data but It's not extracting the Source and Destination data. I've tried playing around with it some but am having difficulty with the format, E.G. the data seems to come in as such. SRC_IP > DEST_IP. I'm however not too familiar with regex yet.

      Could someone who's logging their Snort data to splunk please share how they have things setup?
      I'm most interested in getting the following field info.

      • Alert Source
      • Alert Category
      • Alert Severity
      • Alert Source_IP
      • Alert Destination_IP
      • Alert Source_Port
      • Alert Destination_Port

      Thanks!

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by NogBadTheBad

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • G
          gawainxx
          last edited by

          I'm getting the data into Splunk but am having a rather difficult time getting fields set, Emerging Threats have been easy to create a regex for using the wizard but the Snort alerts have been throwing a monkeywrench into that by there being an additional, duplicate field in the "Snort Alerts"
          https://imgur.com/a/yV0kjbL

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.