Configuring Splunk and Snort On Your Home Network

Prerequisites: A Windows/Linux machine capable of running Splunk and Snort. Basic networking knowledge. Basic knowledge of network/port scanning and a machine capable of doing so.

Splunk is a SIEM (Security Information and Event Management) system used widely by Security analysts across the industry. There is a basic version available for free (with a limit of one user account). This is perfect for your home network defensive needs.

So head on over to Splunk’s website to download the latest version of Splunk Enterprise (7.2.6 at the time of this writing). After a sixty day trial your license will convert to a free license.

Ideally you would have an independent server on your network running Splunk 24/7. Running it alongside other tools (e.g., snort) on your personal machine can bog it down and cause other personal programs to run slowly.

1_admin_password

After the installation completes, a browser window should open with a login prompt for Splunk. If the web service didn’t automatically open, navigate to localhost:8000/. Enter the username and password combo that you set during the installation.

Download the “Splunk for Snort” app from splunkbase. This app allows Splunk to search fields relevant to Snort (e.g., source ip/port) as well as show statistics and generate reports.

On the home page of Splunk, click “+ Find More Apps” on the main menu (the left side of the page). Now from the drop down menu in the top-left corner of the screen, click “Manage Apps.” From here we can see all of the apps that are installed and we have the option to install new ones. Click “Install app from file” and upload the Splunk for Snort tar.gz file that was previously downloaded.

Now if you navigate to the main page the Splunk for Snort app should be visible in the main menu.

We are going to configure the IDS (Intrusion Detection System) Snort on our system as well. If you don’t know what that is I’m not quite sure how you found this post but all you need to know is that Snort filters through your network traffic and creates alerts when certain traffic is found. Again, ideally you would have Snort on some machine that is then passing traffic onward to the rest of your network so that you can capture all inbound traffic for analysis. We will add an App to Splunk which will allow it to pull data gathered from Snort. We won’t have to pour over thousands of lines in a text file anymore to analyze potentially dangerous traffic. Download Snort and follow the instructions for installation based on your OS.

Navigate to your Snort rules directory and create a file named sample_rules.conf. Insert the following text into the file and save.

output alert_full: alert.full
alert tcp any any -> any any (msg:"FIN Scan" ; flags: F ; sid:1;)
alert tcp any any -> any any (msg:"Xmas Scan" ; flags: FUP ; sid:2;)
alert tcp any any -> any any (msg:"Null Scan" ; flags: 0 ; sid:3;)

The first line of this conf file formats the output of Snort’s alert log so that the Splunk for Snort App can utilize it properly. This simple rule set will create an alert whenever a FIN, Xmas or Null scan is detected. The purpose of this set is to showcase how Splunk imports Snort data. A much more “full” rule set can always be created afterwards.

Home Page > Add Data > Monitor > Files & Directories and select the folder where Snort stores its alert files. In my case, it’s C:\Snort\log. Add “alert.full” in the whitelist field so that Splunk will only monitor the correct Snort file. Click Next.

4_snort_settings

On the Input Settings page we need to make a few more important configurations. For source type, Splunk for Snort uses two different data types: snort_alert_full and snort_alert_full. In our case we have elected to use the alert_full output format. Click “Select” and enter “snort_alert_full.” Then for App Context, select the Splunk for Snort App. Click Next. Review the settings and click Submit.

If you need to modify these settings in the future (maybe to use the fast alerts instead), navigate to Settings > Data > Data inputs and find the rule.

Now start running Snort on your machine. Issue a command in your terminal similar to the following (you may have to change the file location(s) or network interface).

snort -i1 -l c:\snort\log -c c:\snort\rules\sample_rules.conf

From another machine (in my case, an instance of Kali running in VirtualBox) run FIN, Xmas and Null scans against the machine running Snort. Use the -sF, -sX, and -sN options in nmap respectively.

Back in Splunk, navigate to the Spunk for Snort App and execute a search against the monitored data set (e.g., “null” or “src_port = 192.168.0.17 AND name = “Xmas scan””)

5_scan_search
Searching the data set for null scans

And there you have it! Splunk will now pull in your Snort IDS data and you will be able utilize Splunk’s extensive analytics tools.

7_top_signature_report
Splunk for Snort generates reports like this one — Top 10 signatures

I hope this tutorial helps you out with defending your home network. If you have any questions or comments please post them below!

~ D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s