icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Snort 3 JSON Alerts
SHA256 checksum (snort-3-json-alerts_101.tgz) ebf15aacb11449f1db4d82437e02a6320a4a0ca8925923ed076ad1b2219e2c57
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Snort 3 JSON Alerts

Splunk AppInspect Passed
Overview
Details
This repository is a Technology Add-On for Splunk that allows you to ingest IDS alerts into Splunk from Snort 3 in json format. This plugin normalizes these alerts conform to the "Intrusion Detection" model in the Splunk Common Information Model (CIM), and can be accessed within any app or dashboard that reports Intrusion Detection events.

Technology Add-On for Snort3 Json Alerts

Overview

The Snort 3 for JSON Alerts Technology Add-On (TA_Snort3_json) is a Splunk Technology Add-On written by Noah Dietrich for ingesting and normalizing alert data created by a Snort 3 IDS in JSON format.

This Technology Add-On (TA) normalizes Snort 3 alerts that are written with Snort 3's alert_json plugin to make it compliant with the "Network Intrusion Detection" model of the Splunk Common Information Model (CIM).

The public repository for this TA is: https://github.com/NDietrich/Splunk-Snort3-TA.

IMPORTANT

Snort 3 is currently a Beta product. It should not be used in production or mission-cricical environments, and is available primarily for testing purposes. Because of this, it is possible that future modifications to Snort 3 will break this plugin. This plugin has been released before the final version of Snort 3 has been finalized to solicit feedback, including feature requests and bug reports.

Installation & Configuration

More detailed configuration instructions for Snort 3 can be found at https://SublimeRobots.com/.

Configuring Snort 3 json_alerts Output Plugin

Ensure that you have installed Snort 3, and it is correctly outputting alerts in JSON format. Please see https://snort.org/documents for installation guides (make sure to install Snort 3 instead of Snort 2). If you are unsure what platform to install Snort on (Linux, Windows, BSD), choose the platform you are most comfortable using. I have authored some in-depth installation guides for Ubuntu, available on Snort's website, or alternately available at https://SublimeRobots.com/.

In your json output files, make sure that 'seconds' field is the very first field output for each alert. The alert_json plugin is configured in the snort.lua file. In the example below, you can see the following output options:

  • fields: The 'seconds' field is the first field listed (and thus the first field in the output). The example here is outputting every possible field. You can probably remove some of these fields after testing to determine if they are necessary, such as the vlan or mpls fields.
  • file" We are o utputting to a file (the alert_json.txt file).
  • limit: Each json file will be 100 MB before it rolls over to a new file (named alert_json.txt.epochtime).
--- in your snort.lua file
alert_json =
{
    fields = 'seconds timestamp action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan',
    file = true,
    limit = 100,
}

Installation of this TA

This TA should be installed on all servers in your infrastructure, but most important it must be installed and configured on the server where the log files are ingested. Failure to also install this plugin on Indexers, Heavy forwarders, or Search Heads may result in data that is not normalized correctly.

Configuration of this TA

The TA must be configured wherever Snort 3 JSON logs are collected (usually on your UF). You do not need to modify this TA on any Splunk servers that are not actively collecting logs (you don't need to modify this TA on your indexers or search heads, it just needs to be installed for CIM normalization).

On the Splunk servers where you will be collecting log files, you must modify this plugin to specify the location of your Snort 3 JSON files. This can be accomplished by creating a new 'inputs.conf' file in the TA_Snort3_json application 'local' folder. Do not modify the ./default/inputs.conf file directly.

Create a new ./local/inputs.conf file in the TA_Snort3_json folder. This file should be located at:
$SPLUNK_HOME/etc/apps/TA_Snort3_json/local/inputs.conf

You must place a 'monitor' stanza in the local inputs.conf file that contains the path to the folder containing the Snort 3 alert JSON files. For example, if your files are located in /var/log/snort (a common location), your ./local/inputs.conf file should contain the following two lines:

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json

These lines are required, and will allow Splunk to index all Snort 3 json alert log files in the /var/log/snort folder (and sub-folders).

Restart Splunk on the server where you created this inputs.conf file. Splunk will index existing Snort 3 json files in this folder and sub-folders.

Optional Input Configuration Options

The following settings for you local inputs.conf file are available if you have specific needs. For example, if you want to save these events to a different index, add the following line specifying the index name:

# in your $SPLUNK_HOME/etc/apps/TA_Snort3_json/local/inputs.conf file
[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
index = another-index-name

If you do not want to monitor sub-folders of the initial folder (say if you're rotating logs to a sub-folder), you can disable recursion:

# in your $SPLUNK_HOME/etc/apps/TA_Snort3_json/local/inputs.conf file
[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
recursive = false

Searching Snort 3 events:

Once your indexer is collecting Snort 3 events, you can search for them simply by searching by sourcetype:

search sourcetype=snort3:alert:json

you can also use the following tags (this could return normalized events from other NIDS's if you have them):

search tag=ids AND tag=attack

Recommended supporting Add-ons:

  • base64: https://splunkbase.splunk.com/app/1922/
    This TA needs to be manually installed (the author has not formally tested it with the newer versions of Splunk, but it seems to work). This TA provides the ability to convert the packet data (stored in the b64_data field) into readable info. in the example below, the 2nd line takes advantage of this new TA to display the data in the packet in a table that's readable:
    sourcetype=snort3:alert:json b64_data = *
    | base64 field=b64_data action=decode mode=replace
    | table gid, sid, priority, class, msg, b64_data

This becomes very helpful when looking at the contents of alerts containing SMTP and FTP data, web URI's, and shell code.

Additional Notes:

The b64_data data field is responsible for most of the data created by the plugin. If you are worried about Splunk license usage, and don't need the packet data, then you can omit this field in the alert_json Snort configuration file snort.lua. In my testing, I have found that 10 MB of log data with all fields enabled (including the b64_data field) contains approximately 10,000 events, while removing the b64_data field fit 15,000 events in 10 MB.

Licensing

This Technology Add-On is released under the GPL v3. Please see the LICENSE file in this folder.

Contacts & Support

This TA is community developed and supported. Therefore: feature requests and bug reports can be submitted at the github respository:
- https://github.com/NDietrich/Splunk-Snort3-TA

Questions about this TA can be posted through Splunk Answers:
- https://answers.splunk.com/index.html

Or can be sent to:
- Noah@SublimeRobots.com

Release Notes

Version 1.0.1
Aug. 12, 2019

Version 1.0.1
Initial release

13
Installs
27
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.