The Splunk for Snort app provides field extractions for Snort alert logs (fast and full) as well as dashboards, saved searches, reports, event types, tags and event search interfaces. It is compliant with the Splunk Common Information Model.
This app is maintained by Patrik Nordlen. Suggestions and bug reports are appreciated.
To install, extract the .spl file in $SPLUNK_HOME/etc/apps
You will need to enable the appropriate inputs, either via inputs.conf, or through the Manager in the Splunk GUI. Splunk for Snort expects full alert logs to have a sourcetype of "snort_alert_full" and fast alert logs to have a sourcetype of "snort_alert_fast". Note that you don't need both types, any one will do - these distinctions are only there to make sure that Splunk parses the logs correctly. Sourcetypes are renamed to "snort" at search time, so if you do have both full and fast logs you won't need to worry about searching separately for each corresponding sourcetype.
The most basic feature provided by this app is to extract fields from Snort logs. The following fields are extracted for both full and fast:
The following fields are extracted for full only (as they are not available in fast):
These field extractions are applied to all logs with sourcetype "snort" (which includes sourcetypes "snort_alert_fast" and "snort_alert_full" as they are renamed to "snort" at search time).
The app includes a custom search interface for Snort events, available under "Snort event search". This interface shows events tables and statistics for issued searches.
A number of dashboards and reports are provided containing the most common information that is usually requested.
Splunk for Snort provides a dashboard for viewing geographical location of source IPs that have triggered alerts. This map is populated through a scheduled search that runs every hour.
PLEASE NOTE THAT TO VIEW THIS MAP YOU NEED THE MAXMIND APP:
Changes in v0.5:
- Enabled real-time searching in the Snort event search interface
- Rebuilt statistics dashboard with timepickers instead of different dashboards for different time ranges.
- Layout changes - background colour, logo.
- Improved documentation.
- Moved ammap scripts into the app to avoid dependencies.
Changes for v0.3:
- Added clarifications on how to update the map manually.
- Added pie charts for source hosts and destination hosts in the event search interface.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.