mailing list archives
Re: Snort and using IDS app with splunk
From: Greg Williams <gwillia5 () uccs edu>
Date: Tue, 7 May 2013 02:14:11 +0000
Yes, I've implemented both the Splunk for Snort App and just fast_alerts. I don't use the Splunk for Snort App much if
at all, but in addition to my mysql logging for BASE, I have fast_alerts set up for unified2 logging to an alert.log
file, which only fires the alerts. Splunk forwarder picks them up and sends them to Splunk. I do a lot of analysis
within Splunk with that data. Mainly malware tracking and automated alerting based on what malware was seen.
Correlation is also key based off ip address. I also run scripts from splunk to send the information to our NAC to
auto quarantine a system if specific malware is seen and antivirus doesn't take care of it within several minutes.
Feel free to ping me offline if you want more info on the setup. Can't imagine not having Snort alerts going into
IT Security Principal
University of Colorado at Colorado Springs
greg.williams () uccs edu
From: Josh Bitto [jbitto () onlineschool ca]
Sent: Monday, May 06, 2013 2:56 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort and using IDS app with splunk
Hello all….I was wondering if anyone uses splunk and have a similar setup to what I’m trying to accomplish.
We are using snort on our pfsense firewall and having the logs sent to our main log server (splunk) with that being
said… I have been looking at features that splunk offers and one of them is an IDS reference app that can pull
information from rule sets. I think for the most part it’s just a searchable reference for rules that may fire. Has
anyone used this or have experience with it?
I’m wondering if it’s worth the time to implement.
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!