Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I parse Snort logs from pfsense syslog?

TribanMD
New Member
‎01-17-2013 07:09 PM

I was able to set Splunk up to configure the reports for the pfsense firewall logs. But I would also like to create a similar report for just the snort logs. Right now they are being set into the pfsense system log. I can view them by just using the keyword "snort" in the search on the specific source, but I would like to parse out the fields as well. I would like to then try throwing that data into the Google Maps App. Any ideas?

Ok, so the logs are showing up in Splunk from pfsense in the following format:

(snort log alet)

Jan 19 10:53:25 SplunkSourceHost Jan 19 10:53:24 snort[61858]: [120:6:1] (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED [Classification: Unknown Traffic] [Priority: 3] {TCP} SRC_IP:PRT -> DST_IP:PORT

Santized, so after the SplunkSourceHost is the log from pfsense. In this case it is the log from the snort service in pfsense. Firewall logs look like this:

(pfSense firewall block)

Jan 19 15:34:29 SplunkSourceHost Jan 19 15:34:28 pf: 00:00:10.461152 rule 1/0(match): block in on em0: (tos 0x20, ttl 95, id 256, offset 0, flags [none], proto TCP (6), length 40)
Jan 19 15:34:29 SplunkSourceHost Jan 19 15:34:28 pf:     SRC_IP.PORT > DST_IP.PORT: Flags [S], cksum 0x4302 (correct), seq 1609564160, win 16384, length 0

I used the guide here http://www.seattleit.net/blog/tag/pfsense/ to configure the transforms and props files. I imagine I would need to do something similar to format the snort logs. Just not sure how.

Thanks for any help you can provide.

Tags (1)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎05-05-2013 01:04 PM

Add the following to your configuration files for pfsense:

------- transforms.conf

###### snort ######

[force_sourcetype_for_snort]
DEST_KEY = MetaData:Sourcetype
REGEX = \w+\s+\d+\s+\d+\:\d+\:\d+\s+[^\s]+\s+snort\[\d+\]\:
FORMAT = sourcetype::snort

[category_for_snort]
REGEX = Classification\:\s+([^\]]+)
FORMAT = category::"$1"

[dest_ip_for_snort]
REGEX = \-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FORMAT = dest_ip::$1

[dest_port_for_snort]
REGEX = \-\>\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)
FORMAT = dest_port::$1

[pid_for_snort]
REGEX = snort\[(\d+)
FORMAT = pid::$1

[severity_id_for_snort]
REGEX = Priority\:\s+(\d+)
FORMAT = severity_id::$1

[signature_for_snort]
REGEX = snort\[\d+\]\:\s+\[[^\]]+\]\s+(.*?)(\s+\[Classification|\[Priority)
FORMAT = signature::"$1"

[signature_id_for_snort]
REGEX = snort\[\d+\]\:\s+\[([^\]]+)
FORMAT = signature_id::"$1"

[src_ip_for_snort]
REGEX = \{\w+\}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FORMAT = src_ip::$1

[src_port_for_snort]
REGEX = \{\w+\}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)
FORMAT = src_port::$1

[transport_for_snort]
REGEX = \{([^\}]+)
FORMAT = transport::$1

------- props.conf

[source::udp:514]  # --- May need to change this source, depending on how you're collecting the data
TRANSFORMS-force_sourcetype_for_snort = force_sourcetype_for_snort

[snort]
SHOULD_LINEMERGE=false
REPORT-category_for_snort = category_for_snort
REPORT-dest_ip_for_snort = dest_ip_for_snort
REPORT-dest_port_for_snort = dest_port_for_snort
REPORT-pid_for_snort = pid_for_snort
REPORT-0severity_id_for_snort = severity_id_for_snort
REPORT-signature_for_snort = signature_for_snort
REPORT-signature_id_for_snort = signature_id_for_snort
REPORT-src_ip_for_snort = src_ip_for_snort
REPORT-src_port_for_snort = src_port_for_snort
REPORT-transport_for_snort = transport_for_snort
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎05-06-2013 07:36 PM

Do you have Splunk listening on port 514? If so, the first stanza in props.conf should force the sourcetype of snort on just the snort logs from the input.

0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎05-06-2013 07:21 PM

Yep, you're right. I just changed them around.

0 Karma
Reply

TribanMD
New Member
‎05-06-2013 07:06 PM

Are the confs reversed? My current props has the reports/transforms data while my Transforms has the regexs and such (for the pfsense-firewall sources). Also another problem is that I can't seem to send pfsense snort data separately, all or nothing. so all logs come over syslog from pfsense. Otherwise I can use the Snort for Splunk app.

0 Karma
Reply

TribanMD
New Member
‎01-20-2013 04:29 PM

posted, let me know if you are looking for something different. Thanks!

0 Karma
Reply

Ayn
Legend
‎01-17-2013 11:50 PM

Log samples please?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...