Splunking Snort Logs

Welcome to another tutorial my security friends! In this tutorial, we install Snort IDS and a Splunk server on a VPS. If you want to nerd out and get familiar with both of these tools, this is the place to start! We will install Apache web server as well so bots and malicious people try to exploits it and trigger our alarms in snort.

We will make a VPS with Ubuntu 16 and have 1 CPU and 1 gig ram setup.

Fire up a VPS of choice and install Snort

We will use the script below to automate everything.

sudo apt-get -y update

sudo apt-get -y apache2

sudo apt install -y gcc libpcre3-dev zlib1g-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet

mkdir ~/snort_src && cd ~/snort_src

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

tar -xvzf daq-2.0.6.tar.gz

cd daq-2.0.6

./configure && make && sudo make install

cd ~/snort_src

wget https://distfiles.macports.org/snort/snort-

tar -xvzf snort-

cd snort-

./configure --enable-sourcefire && make && sudo make install

sudo ldconfig

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

sudo mkdir -p /etc/snort/rules

sudo mkdir /var/log/snort

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

sudo chown -R snort:snort /etc/snort

sudo chown -R snort:snort /var/log/snort

sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

sudo touch /etc/snort/rules/white_list.rules

sudo touch /etc/snort/rules/black_list.rules

sudo touch /etc/snort/rules/local.rules

sudo cp ~/snort_src/snort-*.conf* /etc/snort

sudo cp ~/snort_src/snort-*.map /etc/snort

wget https://www.snort.org/rules/community -O ~/community.tar.gz

sudo tar -xvf ~/community.tar.gz -C ~/

sudo cp ~/community-rules/* /etc/snort/rules

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

###Edit snort config files###

sudo nano /etc/snort/snort.conf

#We will then delete the community.rules and download a version I uploaded

#to this site because the originally community.rules is commented out

cd /etc/snort/rules

echo "Getting and Deleting community rules"

rm community.rules

wget http://www.ethicalredteam.com/scripts/community.rules

sudo snort -T -c /etc/snort/snort.conf

We will then need to change our HOME_NET ip from ANY to the VPS IP address. This should be on ens3 or maybe eth0 depending on your VPS. Use ifconfig if your not sure.

We will then comment out the white_list.rules and black_list.rules as we are not going to use them.

Snort has many rules you can configure and use but for this purpose and tutorial we will be using the community.rules only.

We will then remove the local.rules and write in the community.rules
If you notice most the rules below are commented out. We only want to have the community.rules. You can change this later to suit your needs as well.

After the snort config file is configured we can test and make sure there are no errors with the following command

sudo snort -T -c /etc/snort/snort.conf

If everything checks out we will then install Splunk with the following script.

cd /opt/

wget https://download.splunk.com/products/splunk/releases/7.0.1/linux/splunk-7.0.1-2b5b15c4ee89-Linux-x86_64.tgz

tar -zxvf splunk-7.0.1-2b5b15c4ee89-Linux-x86_64.tgz

cd /opt/splunk/bin/

./splunk start

Once Splunk is installed you can login the interface at your VPS IP and port 8000. EX: 45.XX.88.213:8000

The default username and password are admin:changme , you should change the password asap of course.

We will then be downloading the "Splunk for Snort" App located here , https://splunkbase.splunk.com/app/340/

Once the Splunk for Snort app is installed we will start Snort on our VPS, we can use 2 commands.

Command 1) sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens3

Command 1 can be used for testing to see if you see the snort alert.It will save a snort.log file to /var/log/snort. You can ping and nmap the Splunk VPS with another system to test the alarms are successfully.

Command 2) sudo /usr/local/bin/snort -A full -q -u snort -g snort -c /etc/snort/snort.conf -i ens3

Command 2 will create a a log file for full alerts to /var/log/snort the fill will be "alert".

Snort has a couple options on the file types such as full and fast. We will be using full in this case noted by the [-A full] syntax in command 2.

After you test snort working properly. We will need to setup Splunk to eat the logs from Snort.

Go to "Settings" > "Data input" > "Files and Directories"

Click on "New" and then input the log file path. In this case it will be /var/log/snort/alert

Make sure to run a ping test to the VPS server before so you can see the logs imported correctly. Then select "snort" as the source type!

App context
Application contexts are folders within a Splunk instance that contain configurations for a specific use case or domain of data. App contexts improve manageability of input and source type definitions. Splunk loads all app contexts based on precedence rules

When Splunk indexes data, each event receives a "host" value. The host value should be the name of the machine from which the event originates. The type of input you choose determines the available configuration options.

Splunk stores incoming data as events in the selected index. Consider using a "sandbox" index as a destination if you have problems determining a source type for your data. A sandbox index lets you troubleshoot your configuration without impacting production indexes. You can always

We will select the "App Content" to "Splunk for Snort" with the host field value of "IDS". We then select the Index as "Main"

After we complete the install we can check to see if Splunk is eating and recieving our logs properly.

Everything is looking good, we can see Splunk indexing the data. If we go to the Splunk for Snort app we have a nice GUI of all the top signature, source ips etc. We have successfully installed Splunk and Snort!

We now have Splunk and Snort working! You can also install something like Apache2 on top of this so bots and attackers will attack default web server configurations and loggins, giving you more logs to go through and maybe find interesting attacks. You might be able to add Dionaea to this as well. Maybe in the future, I'll write a post on that.

If you would like to visualize the Snort data on a Map you need to download and install 2 more apps.

Geo Location Lookup Script (powered by MAXMIND)

Splunk for use with amMap Flash Maps

Once these are installed copy the home_threat_data file from the Ammap app directory to the Splunk for Snort app directory.

cp /opt/splunk/etc/apps/amMap/appserver/static/xml_out/home_threat_data.xml /opt/splunk/etc/apps/SplunkforSnort/appserver/static/xml_out/

There you have it! we can now see the attack map from around the world!