Snort IDS Processing Security Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Hint: The Snort IDS Processing Security Content Pack was first introduced in Illuminate 3.3.

Snort is an open source network intrusion detection (IDS) and intrusion prevention system (IPS). This IDS/IPS system performs real-time traffic analysis and packet logging on Internet Protocol (IP) networks. It also can be used to detect semantic URL attacks, server message block probes, OS fingerprinting attempts, stealth port scans and buffer overflows.

Snort can be configured in three different modes: packet-capture mode, logging mode or IDS mode. This pack runs Snort in IDS mode and comes with predefined rules. Snort will apply the packet content coming over any network it is monitoring to each rule.

Warning: This content pack may be used with Snort 3 only.

Sample Snort Rule

alert icmp any any -> any any (msg:"ICMP flood"; sid:1000001; rev:1; classtype:icmp-event; detection_filter:track by_dst, count 500, seconds 3;)

Supported Versions

Snort can run on Ubuntu and RedHat based Linux versions, FreeBSD, and Fedora.

Stream Configuration

This technology pack includes one stream:

"Illuminate: Snort IDS Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream. Note that in the above example, we are forwarding only the Snort alerts which we are writing to the local5 facility. Alternatively, you could configure it to forward all syslog messages.

Index Set Configuration

This technology pack includes one index set definition:

“Snort IDS Logs”

Hint: If this index set is already defined, nothing will be changed. If this index set does not exist, it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

The default configuration file is /etc/snort/snort.com.

Please refer to Snort’s official website for an installation and configuration guide.

Requirements

In order to use this technology pack, Snort 3 should be configured to log in JSON format. Logging configurations such as alert_fast can be used but a JSON configuration is required to capture detailed event information.

The snort.lua file below can be used for both Snort alerts and AppID alerts. If AppID is not used, those settings can be ignored.

The recommended paths and file names are listed below. If these differ from an existing configuration, the paths and file names will need to be adjusted in the Filebeat configuration.

Snort: /var/log/snort/alert_json.txt
AppID: /var/log/snort/appid-output.json

Additional information regarding AppID, installation, and usage can be found on the Snort documentation page. An example guide for installing and configuring AppID on Linux distributions can be found under the section Snort Setup Guides.

Snort 3 Configuration

snort.lua

Copy

alert_json =
{
        fields = 'timestamp seconds action class b64_data dir dst_addr dst_port eth_dst eth_len eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan b64_data client_bytes client_pkts flowstart_time server_bytes server_pkts',
        file = true,
        limit = 100,
}

Copy

appid_listener =
{
    json_logging = true,
    file = "/var/log/snort/appid-output.json",
}

Because Snort is configured to log in JSON format, a delivery system that can parse each field and deliver them to Graylog is required. This technology pack supports log delivery via Filebeat with a specific configuration of inputs and outputs, identifying logs for parsing and delivery to Graylog for Illuminate processing.

The paths and fields sections are required for this configuration. If the Snort logs are being stored in paths other than those in the following .yml file, these paths must be updated. The event_source_product: snort field is critical for proper identification and parsing of logs.

Filebeat Configuration

Additional information regarding the installation and configuration of Filebeat can be found below:

The following is the default configuration file which can be edited to configure Filebeat.

filebeat.yml

Copy

- type: filestream

  id: snort-filestream

  enabled: true

  paths:
    - /var/log/snort/alert_json.txt
    - /var/log/snort/appid-output.json
  
  parsers:
    - ndjson:
        target: "snort3"
        add_error_key: true
        overwrite_keys: true


  fields:
    event_source_product: snort3
    fields_under_root: true

You can find instructions for sending other syslog daemons into Graylog in this document.

Log Format Example

{ "timestamp" : "04/04-10:36:13.537364", "seconds" : 1680618973, "action" : "allow", "class" : "Attempted User Privilege Gain", "b64_data" : "DHWBgAABAAQAAAAAB3NvbngtZnALbWVkaWFzZWFyY2gHdmVyaXpvbgNjb20AAAEAAcAMAAUAAQAAAEQATDFhYjI2Y2NhMTI0Y2JhNGY1ZDg5Y2MwYzUwOWQ5MjY2NC01Y2U1NzM2MTU5NzEyOTc4A2VsYgl1cy1lYXN0LTEJYW1hem9uYXdzwCjAPQABAAEAAAA5AAQjrk20wD0AAQABAAAAOQAEIsacQcA9AAEAAQAAADkABDRHiMQ=", "dir" : "S2C", "dst_addr" : "192.168.1.1", "dst_port" : 44661, "eth_dst" : "B1:F1:51:71:31:31", "eth_len" : 227, "eth_src" : "81:B1:91:F1:01:01", "eth_type" : "0x800", "gid" : 1, "iface" : "ens34", "ip_id" : 24269, "ip_len" : 193, "msg" : "PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt", "pkt_gen" : "raw", "pkt_len" : 213, "pkt_num" : 22551641, "priority" : 1, "proto" : "UDP", "rev" : 1, "rule" : "1:57878:1", "service" : "unknown", "sid" : 57878, "src_addr" : "192.168.1.2", "src_ap" : "192.168.1.2:53", "src_port" : 53, "tos" : 0, "ttl" : 61, "udp_len" : 193, "vlan" : 0, "b64_data" : "ABCLDKDDHDVBAERY3345112442JhNGY1ZDg5Y2MwYzUwOWQ5MjY2NC01Y2U1NzM2MTU5NzEyOTc4A2VsYgl1cy1lYXN0LTEJYW1hem9uYXdzwCjAPQABAAEAAAA5AAQjrk20wD0AAQABAAAAOQAEIsacQcA9AAEAAQAAADkABDRHiMQ=", "client_bytes" : 91, "client_pkts" : 1, "flowstart_time" : 1680618973, "server_bytes" : 227, "server_pkts" : 1 }

What is Provided

Rules to normalize and enrich Snort 3 log messages.

Snort 3 Log Message Processing

The Illuminate processing of Snort 3 log messages provides the following:

Field extraction, normalization, and message enrichment for Snort 3 log messages (IDS and AppID).
GIM Categorization of the following messages:

Snort 3 Log Type	GIM Category	GIM Subcategory
ids	alert	alert.default
appid	network	network.default

Use Cases

Snort is used to monitor networks for malicious packets and threats. Functioning as either an IDS or IPS, Snort can analyze and compare traffic against thousands of signatures and application detectors to provide a high-level overview of a network.

Examples of what can be monitored using this content pack: Unauthorized hosts or users, misconfigured devices (DNS, hostname, etc.), devices beaconing to malicious IPs, brute force attacks or policy violations.

Sample Snort Rule

Supported Versions

Stream Configuration

Index Set Configuration

Requirements

Snort 3 Configuration

Filebeat Configuration

filebeat.yml

Log Format Example

What is Provided

Snort 3 Log Message Processing

Use Cases

Snort Spotlight Content Pack

Snort 3 Overview

Snort IDS Overview

Snort App ID Overview