So the Snort update 3.2.9.14_1 (or heck maybe an earlier one? I hadn't updated for some time) breaks Barnyard2's syslog output to a defined server (in this case Splunk).
I was using Snort for Splunk's app- an amazing app with great field extractions and great dashboard. I was panicking to get some kind of threat feed back in.
Enter Suricata. I had mixed success with early Suricata builds on pfsense so I had stuck to Snort. With this issue popping up, I decided to install Suricata again.
After following some guides to get Snort rules inputted into Suricata, and with Suricata's WebUI very simular to Snorts, I was off and running way faster than I expected.
Very quickly I had Suricata data feeding into Splunk, and for fun into the same data input Snort was using. To the log formatting credit, it was getting extracted pretty well right out of the gate.
Instead of installing a Suricata app, I see an opportunity here to use a transforms.conf stanza to sourcetype data from the Suricata feed to sub-devide into Suricata or Snort rule. With that done, I can apply a different props.conf stanza to the Splunk sourcetyped data to fix the extractions for description and other fields.
