Log into Snort, go to add app, search snort- add Snort for Splunk
Follow this instructions:
Follow this instructions:
App Installation
1.) To install the app, download the app to a suitable download location.
2.) Open Splunk and click on the Manage Apps icon.
3.) Click on the Install app from file button.
4.) In the Upload app window, select the Browse button under File and locate the SnortforSplunk.spl file in the download location in step 1.
5.) Click the Upload button to install the app.
6.) Once the app is installed follow the next steps to setup the Data Input.
7.) Under Splunk -> Settings -> Data Inputs -> Local Inputs -> UDP -> Click the New button.
8.) In the Port field under Add Data -> Select Source, enter 514 for the port to be used.
9.) In the Only accept connection from field under Add Data -> Select Source, enter the IP address of the pfSense appliance
(in the format XXX.XXX.XXX.XXX)and click Next.
10.) From the Source Type dropdown under Add Data -> Input Settings, select Network and Security -> snort.
11.) From the App Context dropdown under Add Data -> Input Settings, select Snort for Splunk.
12.) Click the Review button.
13.) Once satisfied with the settings, click the Submit button.
2.) Open Splunk and click on the Manage Apps icon.
3.) Click on the Install app from file button.
4.) In the Upload app window, select the Browse button under File and locate the SnortforSplunk.spl file in the download location in step 1.
5.) Click the Upload button to install the app.
6.) Once the app is installed follow the next steps to setup the Data Input.
7.) Under Splunk -> Settings -> Data Inputs -> Local Inputs -> UDP -> Click the New button.
8.) In the Port field under Add Data -> Select Source, enter 514 for the port to be used.
9.) In the Only accept connection from field under Add Data -> Select Source, enter the IP address of the pfSense appliance
(in the format XXX.XXX.XXX.XXX)and click Next.
10.) From the Source Type dropdown under Add Data -> Input Settings, select Network and Security -> snort.
11.) From the App Context dropdown under Add Data -> Input Settings, select Snort for Splunk.
12.) Click the Review button.
13.) Once satisfied with the settings, click the Submit button.
pfSense Setup
1.) The setup assumes that pfSense version 2.3.2-RELEASE-p1 is being used as a firewall, along with pfSense-pkg-snort version 3.2.9.2_16 (which includes Barnyard2 version 1.13 and Snort version 2.9.8.3) and that this has been properly setup.
2.) Select Services -> Snort from the main menu and this will show the Snort Interfaces page.
3.) Select the Edit option (Pencil icon) under the Actions column on the page adjacent to the interface to be captured.
4.) Under the submenu, select the {Interface} Barnyard2 (substitute {interface} for either WAN or LAN or as has been setup on pfSense).
5.) Under General Barnyard2 Settings, make sure the following are checked:-
- Enable Barnyard2
- Show Year
- Archive Unified2 Logs
and leave the rest of these settings on their default values.
6.) Scroll down to Syslog Output Settings and select Enable Syslog
7.) Under Remote Host enter the IP address of the Splunk server that is receiving the log files from Barnyard2.
8.) Under Remote Port enter the port of the Splunk server that is receiving the log files from Barnyard2 (default is port 514). **
9.) Change Log Facility from default to LOG_AUTH.
10.) Change Log Priority from default to LOG_ALERT.
11.) With all the settings done click on the Save button at the bottom.
12.) Click on the Snort Interfaces menu item and under the Snort Status column, click on the icon to start/restart the Snort interface.
13.) Check on the Splunk server that the information logged by Barnyard2 is captured by the app.
2.) Select Services -> Snort from the main menu and this will show the Snort Interfaces page.
3.) Select the Edit option (Pencil icon) under the Actions column on the page adjacent to the interface to be captured.
4.) Under the submenu, select the {Interface} Barnyard2 (substitute {interface} for either WAN or LAN or as has been setup on pfSense).
5.) Under General Barnyard2 Settings, make sure the following are checked:-
- Enable Barnyard2
- Show Year
- Archive Unified2 Logs
and leave the rest of these settings on their default values.
6.) Scroll down to Syslog Output Settings and select Enable Syslog
7.) Under Remote Host enter the IP address of the Splunk server that is receiving the log files from Barnyard2.
8.) Under Remote Port enter the port of the Splunk server that is receiving the log files from Barnyard2 (default is port 514). **
9.) Change Log Facility from default to LOG_AUTH.
10.) Change Log Priority from default to LOG_ALERT.
11.) With all the settings done click on the Save button at the bottom.
12.) Click on the Snort Interfaces menu item and under the Snort Status column, click on the icon to start/restart the Snort interface.
13.) Check on the Splunk server that the information logged by Barnyard2 is captured by the app.
** Exception, I already had PFsense syslogs going into UDP 514, so made another data input in splunk for port 992/UDP
*** added port 992/UDP to public interface firewall on CentOS 7 server hosting Splunk indexer.
**** Specified a new index created, index = snort, used for snort app
* Is PFSsense blocking barnyard logs?
No comments:
Post a Comment