Snort mailing list archives
Re: Snort and using IDS app with splunk
From: Greg Williams <gwillia5 () uccs edu>
Date: Tue, 7 May 2013 02:14:11 +0000
Yes, I've implemented both the Splunk for Snort App and just fast_alerts. I don't use the Splunk for Snort App much if at all, but in addition to my mysql logging for BASE, I have fast_alerts set up for unified2 logging to an alert.log file, which only fires the alerts. Splunk forwarder picks them up and sends them to Splunk. I do a lot of analysis within Splunk with that data. Mainly malware tracking and automated alerting based on what malware was seen. Correlation is also key based off ip address. I also run scripts from splunk to send the information to our NAC to auto quarantine a system if specific malware is seen and antivirus doesn't take care of it within several minutes. Feel free to ping me offline if you want more info on the setup. Can't imagine not having Snort alerts going into Splunk. Greg Williams IT Security Principal University of Colorado at Colorado Springs Website: http://www.uccs.edu/itsecure greg.williams () uccs edu ________________________________ From: Josh Bitto [jbitto () onlineschool ca] Sent: Monday, May 06, 2013 2:56 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort and using IDS app with splunk Hello all….I was wondering if anyone uses splunk and have a similar setup to what I’m trying to accomplish. We are using snort on our pfsense firewall and having the logs sent to our main log server (splunk) with that being said… I have been looking at features that splunk offers and one of them is an IDS reference app that can pull information from rule sets. I think for the most part it’s just a searchable reference for rules that may fire. Has anyone used this or have experience with it? I’m wondering if it’s worth the time to implement. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and using IDS app with splunk Josh Bitto (May 06)
- Re: Snort and using IDS app with splunk Greg Williams (May 06)