All Apps and Add-ons

Snort 2.9.0.4 + Splunk 4.2 Splunk for Snort not showing any data

mawillford
New Member

Looking for assistance in getting data into the Splunk for Snort app. My Universal Forwarder on my Snort box is sending "snort_alert_full" data into Splunk which it is changing over to sourcetype=snort, which is by design. My main search page shows the Snort alert data when filtering by Snort sourcetype but no data in the Splunk for Snort app.
Thanks!

Tags (1)
0 Karma

mawillford
New Member

Problem solved. The output was for cooked data on that port. I ended up making changes to the inputs.conf and outputs.conf

inputs.conf

[monitor:///var/log/snort/alert.full]

disabled = false

sourcetype = snort_alert _full (no spaces)

outputs.conf

[tcpout]

maxQueueSize = 500KB

[tcpout]

defaultGroup = splunk

[tcpout:splunk]

disabled = false

server = xxx.xxx.xxx.xxx:514

compressed = false

0 Karma

mawillford
New Member

Thanks Ayn. After looking at the data this appears to more of an NMAP output. I will perform a pcap on the Splunk box to see what I am getting.

0 Karma

Ayn
Legend

That sample event looks really weird - some problem with the formatting just in the comment perhaps? Perhaps you could include the sample event in the answer itself to remediate the formatting issue. If your event really does look like that you're having some serious problems with your Snort logs 😉

0 Karma

mawillford
New Member

I have not tried it with Snort 2.8 unfortunately. From what I have read the output has not changed for alerts in 2.9. Below is a sample event. Also as an FYI I set up the Universal Forwarder to send via TCP port 514 as well as the Splunk input for isolation. Thanks for help!

\x16\x3\x00\x00D\x1\x00\x00@\x3\x00M\xEF\xAA:\xAC\x13s\xA9\xC6\xB\xEA\xEB$\xA3\x88\xF5=HIe\xCBC`\xA5\xEF\xC1\xA4_\xF8 \xA2F\x00\x00\x18\x009\x008\x005\x003\x002\x00/\x00\x16\x00\x13\x00\x00\x5\x00\x4\x00\xFF\x2\x1\x00
host=snort.admin.xxx.xxxx.com Options| sourcetype=snort Options| source=tcp:514 Options

0 Karma

Ayn
Legend

Is this issue specific to Snort 2.9.0.4 (meaning it has worked with other versions)? Could you paste an anonymized sample event from your snort_alert_full logs?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...