I have some packet logs generated by Snort IDS, and I've forwarded them to Splunk Enterprise by using Universal Forwarder. However, packet logs are not in human readable format. So I want to know can Splunk do decryption of these logs so that I can analyze them?
The following is the format of Snort packet logs:
Are there any methods to analyze this kind of log? Any help would be great.
Thank You.
Hi billcyz,
there should be 2 possibilities here, but I think nowadays Splunk or any APP cannot support any of them.
However, in this case you're trying to decipher SecureShell (ssh) traffic. I guess it's not going to be possible. But, regarding Snort, the most straightforward way to get Snot data into Splunk is using Splunk for Snort (https://splunkbase.splunk.com/app/340/ ). It's CIM compliant and will be possible to integrate that info with Splunk App for Enterprise Security.
Hi billcyz,
there should be 2 possibilities here, but I think nowadays Splunk or any APP cannot support any of them.
However, in this case you're trying to decipher SecureShell (ssh) traffic. I guess it's not going to be possible. But, regarding Snort, the most straightforward way to get Snot data into Splunk is using Splunk for Snort (https://splunkbase.splunk.com/app/340/ ). It's CIM compliant and will be possible to integrate that info with Splunk App for Enterprise Security.
Packet logs format in case of the picture can't show:
07/28-04:49:00.338374 B8:27:EB:A1:E5:78 -> 00:25:64:B8:5E:8A type:0x800 len:0xA6
172.16.50.34:22 -> 172.16.50.2:61909 TCP TTL:64 TOS:0x10 ID:60179 IpLen:20 DgmLen:152 DF
***AP*** Seq: 0x42F74FEC Ack: 0x3B664E7E Win: 0x4AD TcpLen: 20
93 07 67 D7 12 42 05 7A C2 D4 30 F2 09 DD 4A 61 ..g..B.z..0...Ja
1D 7E 80 39 27 54 39 9E 02 10 73 79 76 87 E9 60 .~.9'T9...syv..`
E3 89 10 C3 47 FE EC 06 65 D7 6E DC 2A A5 5C 19 ....G...e.n.*.\.
6A 83 4D 7F F8 4F AF 61 F7 DA 8A 7E D4 2A CC 46 j.M..O.a...~.*.F
C8 92 75 3C 7F 79 3E AA 94 AE 5E 06 91 F2 B4 B1 ..u<.y>...^.....
E8 03 25 3F C8 D3 1F 18 E4 56 7C 24 7E AE 9D 64 ..%?.....V|$~..d
6B C7 F6 F4 4C D0 2F D1 CA A1 E2 DD E8 CF AD A4 k...L./.........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
07/28-04:49:00.339120 00:25:64:B8:5E:8A -> B8:27:EB:A1:E5:78 type:0x800 len:0x3C
172.16.50.2:61909 -> 172.16.50.34:22 TCP TTL:128 TOS:0x0 ID:21636 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3B664E7E Ack: 0x42F7505C Win: 0xFE TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
07/28-04:49:00.340225 B8:27:EB:A1:E5:78 -> 00:25:64:B8:5E:8A type:0x800 len:0xB6
172.16.50.34:22 -> 172.16.50.2:61909 TCP TTL:64 TOS:0x10 ID:60180 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0x42F7505C Ack: 0x3B664E7E Win: 0x4AD TcpLen: 20
FF 24 3E B6 57 64 7E D5 7B 6C 24 09 5B AC A0 96 .$>.Wd~.{l$.[...
11 A8 4A D1 FE E5 92 48 8D 8F B7 AF FB 50 10 8D ..J....H.....P..
06 0C 3B 6D 4E 66 0E 25 CD 3D F1 5C 3A ED 3C A3 ..;mNf.%.=.\:.<.
57 DC 09 29 0A 1B B3 76 44 FA CC 35 55 23 AE E0 W..)...vD..5U#..
9F 81 60 60 C2 3C 96 D8 74 69 C0 1E 91 0B A3 68 ..``.<..ti.....h
64 BE D6 3B 44 D7 99 E0 86 74 D7 54 B2 C8 6E 63 d..;D....t.T..nc