Académique Documents
Professionnel Documents
Culture Documents
Version: 1.2
Date: 25.03.2010
Seite 1/24
Project
Project Leader
Responsible
Created
Last Change
Revision
Reference
Change log
No.
1
Date
25.03.2010
Version
1.0
Author
Sznyi
Comment
Create Document
Seite 2/24
Table of Contents
1
2
3
4
5
6
7
8
Seite 3/24
Login to Splunk
Seite 4/24
go from your App direct to the Manager-> Indexes (this is important!!! , that your new index will
match with your App)
Seite 5/24
Seite 6/24
Seite 7/24
Seite 8/24
6 Create 3 new important Fields for your App (Sample Snort App)
-
Seite 9/24
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**]
[Classification: Attempted Denial of Service] [Priority: 2]
03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000
TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
Seite 10/24
First you copy and paste all messages (see yellow marked) into the Example values Box and click
Generate (see Picture)
Know you have generate a regex for your Field (?im)^(?:[^ ]* ){2}(?P<FIELDNAME>.*?)\s+\[ , but you
can see in the picture that this regex also match to other text in your log.
Seite 11/24
Seite 12/24
Save your new Field, press the Save Button and save the Filed as snort_message (see picture).
snort_classification
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**]
[Classification: Attempted Denial of Service] [Priority: 2]
03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000
TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
Regex = (?i)\[Classification: (?P<FIELDNAME>[^\]]*)(?=\])
snort_priority
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**]
[Classification: Attempted Denial of Service] [Priority: 2]
03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000
TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
Regex = (?i)\[Priority:\s+(?P<FIELDNAME>[^\]]*)(?=\])
Seite 13/24
Seite 14/24
Save the search, go to the Actions button and press save search... (see Picture)
Seite 15/24
- A new windows appears, name the search Snort Alerts Last 4 Hours (see Picture) and Save it.
Seite 16/24
Seite 17/24
Name the Save Report Snort Top messages overall and save it.
Seite 18/24
Seite 19/24
Launch to your new App and press the button Actions and select Create new dashboard...
Seite 20/24
Seite 21/24
Build your first panel and name it Snort Prioritys in the last 24 Hours (see Picture) and press
Add panel
Add the next panel Snort Top messages overall (see Picture).
Seite 22/24
Add the next last panel Snort Alerts Last 4 Hours (see Picture) and close.
Seite 23/24
LAST POINT, to not forget to give other people access to your new App and index, searches, reports and
dashboards.
Seite 24/24