Snort 3 IDS Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Snort is an open source network intrusion detection (IDS) and intrusion prevention system (IPS). This IDS/IPS system performs real-time traffic analysis and packet logging on Internet Protocol (IP) networks. It also can be used to detect semantic URL attacks, server message block probes, OS fingerprinting attempts, stealth port scans, and buffer overflows. Snort can be configured in three different modes: packet-capture mode, logging mode, or IDS mode. This pack runs Snort in IDS mode and comes with predefined rules. Snort applies the packet content coming over any network it is monitoring to each rule.

Supported Versions

  • Snort 3

Requirements

  • Graylog Server with a valid Enterprise license, running Graylog version 5.0+.

  • Snort 3 configured to log in JSON format.

  • Filebeat 7.13+ (ndjson parser).

  • A configured Beats input in Graylog.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Snort IDS Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Snort IDS Logs"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Snort 3 must be configured to log in JSON format to use this technology pack. Existing logging configurations such as alert_fast can still be used, but the JSON configuration is required to capture detailed event information. Filebeat is used to deliver the JSON logs to Graylog via a Beats input.

Snort 3 Configuration

Configure Snort 3 to log in JSON format. The recommended log paths are /var/log/snort/alert_json.txt (Snort alerts) and /var/log/snort/appid-output.json (AppID alerts). The following snort.lua settings configure both alert and AppID JSON output. If AppID is not used, the appid_listener block can be omitted.

  1. Edit the snort.lua configuration file:

    Copy 
    alert_json =
                        {
                        fields = 'timestamp seconds action class b64_data dir dst_addr dst_port eth_dst eth_len eth_src
                        eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg pkt_gen pkt_len pkt_num
                        priority proto rev rule service sid src_addr src_ap src_port target tcp_ack tcp_flags tcp_len
                        tcp_seq tcp_win tos ttl udp_len vlan b64_data client_bytes client_pkts flowstart_time server_bytes
                        server_pkts',
                        file = true,
                        limit = 100,
                        }

                        appid_listener =
                        {
                        json_logging = true,
                        file = "/var/log/snort/appid-output.json",
                        }

Filebeat Configuration

Filebeat parses the JSON log files and ships them to Graylog. The paths and fields sections are required. The event_source_product: snort3 field is critical for proper identification and parsing of logs by Illuminate.

  1. Edit the filebeat.yml configuration file:

    Copy 
    - type: filestream

                        id: snort-filestream

                        enabled: true

                        paths:
                        - /var/log/snort/alert_json.txt
                        - /var/log/snort/appid-output.json

                        parsers:
                        - ndjson:
                        target: "snort3"
                        add_error_key: true
                        overwrite_keys: true

                        fields:
                        event_source_product: snort3
                        fields_under_root: true

Hint: If Snort logs are stored in paths other than the defaults shown above, the paths must be updated in both snort.lua and filebeat.yml.

Log Format Examples

Snort 3 logs are delivered in JSON format.

Snort IDS Alert

{ "timestamp" : "04/04-10:36:13.537364", "seconds" : 1680618973, "action" : "allow", "class" : "Attempted User Privilege Gain", "dir" : "S2C", "dst_addr" : "192.168.1.1", "dst_port" : 44661, "eth_dst" : "B1:F1:51:71:31:31", "eth_len" : 227, "eth_src" : "81:B1:91:F1:01:01", "eth_type" : "0x800", "gid" : 1, "iface" : "ens34", "ip_id" : 24269, "ip_len" : 193, "msg" : "PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt", "pkt_gen" : "raw", "pkt_len" : 213, "pkt_num" : 22551641, "priority" : 1, "proto" : "UDP", "rev" : 1, "rule" : "1:57878:1", "service" : "unknown", "sid" : 57878, "src_addr" : "192.168.1.2", "src_ap" : "192.168.1.2:53", "src_port" : 53, "tos" : 0, "ttl" : 61, "udp_len" : 193, "vlan" : 0, "client_bytes" : 91, "client_pkts" : 1, "flowstart_time" : 1680618973, "server_bytes" : 227, "server_pkts" : 1 }

Snort AppID Event

{ "session_num": "0.273", "pkt_time": "2023-04-03 11:54:56.600861", "pkt_num": 77402, "apps": { "service": null, "client": "DNS", "payload": null, "misc": null, "referred": null }, "proto": "UDP", "client_info": { "ip": "192.168.1.1", "port": 59853, "version": null }, "service_info": { "ip": "192.168.1.2", "port": 53, "version": null, "vendor": null }, "user_info": { "id": 0, "username": null, "login_status": "n/a" }, "tls_host": null, "dns_host": "www.google.com", "netbios_info": { "netbios_name": null, "netbios_domain": null }, "http": { "httpx_stream": null, "host": null, "url": null, "user_agent": null, "response_code": null, "referrer": null } }

What is Provided

  • Rules to normalize and enrich Snort 3 log messages (IDS event signatures and AppID).

  • Field extraction, normalization, and message enrichment for Snort 3 log messages.

  • GIM Categorization for IDS and AppID message types.

  • A Snort Spotlight content pack (dashboards and saved search).

GIM Categorization

GIM event type categorization is provided for the following messages:

Snort 3 Log Type GIM Category GIM Subcategory
ids detection detection.network_detection
appid network network.default

Snort Spotlight Content Pack

The Snort Spotlight content pack contains two dashboards (Snort 3 IDS Overview, Snort 3 AppID Overview) and a saved search (Snort 3 Log Viewer).

Snort IDS Overview

Snort App ID Overview

Saved Search: Snort 3 Log Viewer