Splunking Snort Logs
Welcome to another tutorial my security friends! In this tutorial, we install Snort IDS and a Splunk server on a VPS. If you want to nerd out and get familiar with both of these tools, this is the place to start! We will install Apache web server as well so bots and malicious people try to exploits it and trigger our alarms in snort.
We will make a VPS with Ubuntu 16 and have 1 CPU and 1 gig ram setup.
Fire up a VPS of choice and install Snort
We will use the script below to automate everything.
sudo apt-get -y update
sudo apt-get -y apache2
sudo apt install -y gcc libpcre3-dev zlib1g-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet
mkdir ~/snort_src && cd ~/snort_src
tar -xvzf daq-2.0.6.tar.gz
./configure && make && sudo make install
tar -xvzf snort-184.108.40.206.tar.gz
./configure --enable-sourcefire && make && sudo make install
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules
sudo cp ~/snort_src/snort-220.127.116.11/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-18.104.22.168/etc/*.map /etc/snort
wget https://www.snort.org/rules/community -O ~/community.tar.gz
sudo tar -xvf ~/community.tar.gz -C ~/
sudo cp ~/community-rules/* /etc/snort/rules
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
###Edit snort config files###
sudo nano /etc/snort/snort.conf
#We will then delete the community.rules and download a version I uploaded
#to this site because the originally community.rules is commented out
echo "Getting and Deleting community rules"
sudo snort -T -c /etc/snort/snort.conf
We will then need to change our HOME_NET ip from ANY to the VPS IP address. This should be on ens3 or maybe eth0 depending on your VPS. Use ifconfig if your not sure.
We will then comment out the white_list.rules and black_list.rules as we are not going to use them.
Snort has many rules you can configure and use but for this purpose and tutorial we will be using the community.rules only.
We will then remove the local.rules and write in the community.rules
If you notice most the rules below are commented out. We only want to have the community.rules. You can change this later to suit your needs as well.
After the snort config file is configured we can test and make sure there are no errors with the following command
sudo snort -T -c /etc/snort/snort.conf
If everything checks out we will then install Splunk with the following script.
tar -zxvf splunk-7.0.1-2b5b15c4ee89-Linux-x86_64.tgz
Once Splunk is installed you can login the interface at your VPS IP and port 8000. EX: 45.XX.88.213:8000
The default username and password are admin:changme , you should change the password asap of course.
We will then be downloading the "Splunk for Snort" App located here , https://splunkbase.splunk.com/app/340/
Once the Splunk for Snort app is installed we will start Snort on our VPS, we can use 2 commands.
Command 1) sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens3
Command 1 can be used for testing to see if you see the snort alert.It will save a snort.log file to /var/log/snort. You can ping and nmap the Splunk VPS with another system to test the alarms are successfully.
Command 2) sudo /usr/local/bin/snort -A full -q -u snort -g snort -c /etc/snort/snort.conf -i ens3
Command 2 will create a a log file for full alerts to /var/log/snort the fill will be "alert".
Snort has a couple options on the file types such as full and fast. We will be using full in this case noted by the [-A full] syntax in command 2.
After you test snort working properly. We will need to setup Splunk to eat the logs from Snort.
Go to "Settings" > "Data input" > "Files and Directories"
Click on "New" and then input the log file path. In this case it will be /var/log/snort/alert
Make sure to run a ping test to the VPS server before so you can see the logs imported correctly. Then select "snort" as the source type!
Application contexts are folders within a Splunk instance that contain configurations for a specific use case or domain of data. App contexts improve manageability of input and source type definitions. Splunk loads all app contexts based on precedence rules
When Splunk indexes data, each event receives a "host" value. The host value should be the name of the machine from which the event originates. The type of input you choose determines the available configuration options.
Splunk stores incoming data as events in the selected index. Consider using a "sandbox" index as a destination if you have problems determining a source type for your data. A sandbox index lets you troubleshoot your configuration without impacting production indexes. You can always
We will select the "App Content" to "Splunk for Snort" with the host field value of "IDS". We then select the Index as "Main"
After we complete the install we can check to see if Splunk is eating and recieving our logs properly.
Everything is looking good, we can see Splunk indexing the data. If we go to the Splunk for Snort app we have a nice GUI of all the top signature, source ips etc. We have successfully installed Splunk and Snort!
We now have Splunk and Snort working! You can also install something like Apache2 on top of this so bots and attackers will attack default web server configurations and loggins, giving you more logs to go through and maybe find interesting attacks. You might be able to add Dionaea to this as well. Maybe in the future, I'll write a post on that.
If you would like to visualize the Snort data on a Map you need to download and install 2 more apps.
Geo Location Lookup Script (powered by MAXMIND)
Splunk for use with amMap Flash Maps
Once these are installed copy the home_threat_data file from the Ammap app directory to the Splunk for Snort app directory.
cp /opt/splunk/etc/apps/amMap/appserver/static/xml_out/home_threat_data.xml /opt/splunk/etc/apps/SplunkforSnort/appserver/static/xml_out/
There you have it! we can now see the attack map from around the world!