Home page logo

snort logo Snort mailing list archives

Re: Snort and using IDS app with splunk
From: Greg Williams <gwillia5 () uccs edu>
Date: Tue, 7 May 2013 02:14:11 +0000

Yes, I've implemented both the Splunk for Snort App and just fast_alerts.  I don't use the Splunk for Snort App much if 
at all, but in addition to my mysql logging for BASE, I have fast_alerts set up for unified2 logging to an alert.log 
file, which only fires the alerts.  Splunk forwarder picks them up and sends them to Splunk.  I do a lot of analysis 
within Splunk with that data.  Mainly malware tracking and automated alerting based on what malware was seen.  
Correlation is also key based off ip address.  I also run scripts from splunk to send the information to our NAC to 
auto quarantine a system if specific malware is seen and antivirus doesn't take care of it within several minutes.  
Feel free to ping me offline if you want more info on the setup.  Can't imagine not having Snort alerts going into 

Greg Williams
IT Security Principal
University of Colorado at Colorado Springs
Website: http://www.uccs.edu/itsecure
greg.williams () uccs edu
From: Josh Bitto [jbitto () onlineschool ca]
Sent: Monday, May 06, 2013 2:56 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort and using IDS app with splunk

Hello all….I was wondering if anyone uses splunk and have a similar setup to what I’m trying to accomplish.

We are using snort on our pfsense firewall and having the logs sent to our main log server (splunk) with that being 
said… I have been looking at features that splunk offers and one of them is an IDS reference app that can pull 
information from rule sets. I think for the most part it’s just a searchable reference for rules that may fire. Has 
anyone used this or have experience with it?

I’m wondering if it’s worth the time to implement.

Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]