All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to analyze packet logs generated by Snort ?

billcyz
Engager
‎07-27-2015 08:51 PM

I have some packet logs generated by Snort IDS, and I've forwarded them to Splunk Enterprise by using Universal Forwarder. However, packet logs are not in human readable format. So I want to know can Splunk do decryption of these logs so that I can analyze them?

The following is the format of Snort packet logs:
alt text

Are there any methods to analyze this kind of log? Any help would be great.
Thank You.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jdanij
Path Finder
‎07-27-2015 11:14 PM

Hi billcyz,

there should be 2 possibilities here, but I think nowadays Splunk or any APP cannot support any of them.

  1. Decription. It's not easy to do this, only as far as I know, only some HTTPS proxies (Squid: http://wiki.squid-cache.org/Features/SslBump) can do something like a MITM, decript data, generate a self-signed certificate and use some mimic technique to be like the original one. But, still with possibility, I don't know any procedure to take the data out of Squid and analyze the raw data.
  2. Draw a packet in a human readable way, like Wireshark, for example. It's only possible with raw traffic, not SSL. And, anyway, I don't know how can Splunk can do this. I don't know any app or method.

However, in this case you're trying to decipher SecureShell (ssh) traffic. I guess it's not going to be possible. But, regarding Snort, the most straightforward way to get Snot data into Splunk is using Splunk for Snort (https://splunkbase.splunk.com/app/340/ ). It's CIM compliant and will be possible to integrate that info with Splunk App for Enterprise Security.

View solution in original post

Reply
Solved! Jump to solution
Solution

jdanij
Path Finder
‎07-27-2015 11:14 PM

Hi billcyz,

there should be 2 possibilities here, but I think nowadays Splunk or any APP cannot support any of them.

  1. Decription. It's not easy to do this, only as far as I know, only some HTTPS proxies (Squid: http://wiki.squid-cache.org/Features/SslBump) can do something like a MITM, decript data, generate a self-signed certificate and use some mimic technique to be like the original one. But, still with possibility, I don't know any procedure to take the data out of Squid and analyze the raw data.
  2. Draw a packet in a human readable way, like Wireshark, for example. It's only possible with raw traffic, not SSL. And, anyway, I don't know how can Splunk can do this. I don't know any app or method.

However, in this case you're trying to decipher SecureShell (ssh) traffic. I guess it's not going to be possible. But, regarding Snort, the most straightforward way to get Snot data into Splunk is using Splunk for Snort (https://splunkbase.splunk.com/app/340/ ). It's CIM compliant and will be possible to integrate that info with Splunk App for Enterprise Security.

Reply
Solved! Jump to solution

billcyz
Engager
‎07-27-2015 09:06 PM

Packet logs format in case of the picture can't show:

07/28-04:49:00.338374 B8:27:EB:A1:E5:78 -> 00:25:64:B8:5E:8A type:0x800 len:0xA6
172.16.50.34:22 -> 172.16.50.2:61909 TCP TTL:64 TOS:0x10 ID:60179 IpLen:20 DgmLen:152 DF
***AP*** Seq: 0x42F74FEC  Ack: 0x3B664E7E  Win: 0x4AD  TcpLen: 20
93 07 67 D7 12 42 05 7A C2 D4 30 F2 09 DD 4A 61  ..g..B.z..0...Ja
1D 7E 80 39 27 54 39 9E 02 10 73 79 76 87 E9 60  .~.9'T9...syv..`
E3 89 10 C3 47 FE EC 06 65 D7 6E DC 2A A5 5C 19  ....G...e.n.*.\.
6A 83 4D 7F F8 4F AF 61 F7 DA 8A 7E D4 2A CC 46  j.M..O.a...~.*.F
C8 92 75 3C 7F 79 3E AA 94 AE 5E 06 91 F2 B4 B1  ..u<.y>...^.....
E8 03 25 3F C8 D3 1F 18 E4 56 7C 24 7E AE 9D 64  ..%?.....V|$~..d
6B C7 F6 F4 4C D0 2F D1 CA A1 E2 DD E8 CF AD A4  k...L./.........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/28-04:49:00.339120 00:25:64:B8:5E:8A -> B8:27:EB:A1:E5:78 type:0x800 len:0x3C
172.16.50.2:61909 -> 172.16.50.34:22 TCP TTL:128 TOS:0x0 ID:21636 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3B664E7E  Ack: 0x42F7505C  Win: 0xFE  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/28-04:49:00.340225 B8:27:EB:A1:E5:78 -> 00:25:64:B8:5E:8A type:0x800 len:0xB6
172.16.50.34:22 -> 172.16.50.2:61909 TCP TTL:64 TOS:0x10 ID:60180 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0x42F7505C  Ack: 0x3B664E7E  Win: 0x4AD  TcpLen: 20
FF 24 3E B6 57 64 7E D5 7B 6C 24 09 5B AC A0 96  .$>.Wd~.{l$.[...
11 A8 4A D1 FE E5 92 48 8D 8F B7 AF FB 50 10 8D  ..J....H.....P..
06 0C 3B 6D 4E 66 0E 25 CD 3D F1 5C 3A ED 3C A3  ..;mNf.%.=.\:.<.
57 DC 09 29 0A 1B B3 76 44 FA CC 35 55 23 AE E0  W..)...vD..5U#..
9F 81 60 60 C2 3C 96 D8 74 69 C0 1E 91 0B A3 68  ..``.<..ti.....h
64 BE D6 3B 44 D7 99 E0 86 74 D7 54 B2 C8 6E 63  d..;D....t.T..nc
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...