disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM

INTRODUCTION Snort is an open source network Intrusion Detection and Prevention Systems (IDS/IPS) developed by Martin Roesch capable of performing real-time traffic analysis. Sourcefire is the commercial version of Snort recently acquired by Cisco Systems. Snort has wide deployment in public and private sectors. There are many commercial products which use snort for their IDS/IPS functionality. Snort provides various logging mechanisms like console, file, DB, syslog etc. Snort configuration file is located at /etc/snort/snort.conf. In this article we are going to see how Snort alerts can be logged to syslog service and Splunk. rsyslog CONFIGURATION Modify syslog configuration file /etc/rsyslog.conf By uncommenting $ModLoad imudp $UDPServerRun 514 add below line at the end of the configuration file *.* @<syslog_server_ip>:<syslog_server_port> E.g. *.* @192.168.30.1:514 where 192.168.30.1 is the Syslog Server IP Address UDP/514 is the port on which syslog server runs. *.* says log all types of alerts (use *.alert to log only alerts) Once the configuration is done restart rsyslogd using sudo /etc/init.d/rsyslog restart Make sure to stop firewall or add rule to allow traffic on UDP/514 port. Figure Machine where syslog and Snort run snort CONFIGURATION In the snort configuration file located at /etc/snort/snort.conf, search for syslog and add a line below it output alert_syslog: host=<syslog_server_ip>:<syslog_server_port>, LOG_AUTH LOG_ALERT E.g. output alert_syslog: host=192.168.30.1:514, LOG_AUTH LOG_ALERT

Figure snort and rsyslog configurations Start Snort by executing below command sudo snort -c /etc/snort/snort.conf -i eth0 where -c is used to specify snort configuration file -i on which interface snort should sniff packets When snort detects malicious traffic or by replaying PCAP s with malicious traffic on the interface where snort is running, snort generates alerts and logs them to rsyslogd on Linux which in turn are redirected to Kiwi Syslog Server on Windows 7 Enterprise machine (192.168.30.1). NOTE: snort and rsyslog are running on same Linux box (192.168.30.171) Figure syslog alerts on Kiwi Syslog Server

If we don t see syslog alerts on Kiwi Syslog server, run Wireshark on the machine where Snort is running and also on the machine where Kiwi Syslog Server running. Sometimes we see alerts are sent properly but Kiwi Syslog Server doesn t receive reason might be Firewall blocking port 514 or misconfiguration of IP address on snort/syslog configuration files. Figure syslog alerts as seen by Wireshark splunk CONFIGURATION Splunk monitors and analyses everything generated by websites, applications, servers, networks, mobile devices and all the sensors and RFID assets that produce data every second of every day. This type of machine-generated data is massive in scale and contains a definitive record of transaction activity, system behaviour, application performance, user actions, security threats and fraudulent activity. To redirect syslog alerts to Splunk, replace Kiwi Syslog server mentioned above with Splunk with following configuration. On the top right corner of Splunk window you will see Manager tab, click and follow the steps a. Manager -> Data Inputs > UDP -> New b. Manager -> Data Inputs -> Add Data -> syslog -> Consume syslog over UDP Well, there are other ways to do the same configuration of syslog configuration on splunk, see the snapshot for example. Figure syslog configuration on Splunk

Checking the box with More settings option, we can set options like accepting data from specific IP addresses. Successfully configured splunk should start listening on UDP/514 as shown below Figure splunk running on UDP/514 To see the alerts on Splunk click on App on the top right corner of the window, will see a drop down menu, click on Search. Figure syslog alerts on Splunk We can also import alerts to splunk from different files and apply analytics. Splunk also provides various API s to process the data.