Forwarding Snort Live Logs To Splunk.

To forward live snort logs to Splunk we need to follow 4 main step as below.

1) Splunk Port Configuration.
2) Firewall Setup.
3) Download Splunk Forwarder in Kali.
4) Step to forward snort live log to Splunk.


1)Splunk Port Configuration

Step 1:- Go to https://www.127.0.0.1:8000

Step 2:- Click on Setting And Select "Add Data" And Then Select "Forwarding & Receiving".

 


Step 3:- In Receiving Data Click On "Configure Receiving".

 


Step 4:- And Add Port Number 9997. 

        {9997 is Default Splunk Port Number}

Now You Can See Successfully We Added Receiving Port .

Step 5:- click on Apps and then select on "Find More Apps".

 


Step 6:- search snort and then install "Snort Alert For Splunk".


step 7:- It will ask you to username and password use same username and password as Splunk, and then click on "Login and Install".



2)Firewall Setup

Step 1:- Then Go To Windows Control Panel and Open Windows Firewall.
 


Step 2:- Click On "Advance Settings".

 


Step 3:- Click On "Inbound Rules" And Then Click On Click On 'New Rules".
 


Step 4:- "Rule Type" Page Will Open Click On "Port" And Then Click On "Next" Button.
 


Step 5:- Select "TCP" And Specified Port "9997" And Then Click On Next Button.

        {9997 is Default Splunk Port Number}

 


Step 6:- Allow The Connection And Click On "Next" Button.
 


Step 7:- Click On "Next" Button.
 


Step 8:- Give "Name" Of Rules And Click On "Finished" Button.

 

Now You Can See The Created Rule.


 

3) Download Splunk Forwarder in Kali.

Step 1:- Go to https://www.splunk.com


Step 2:- Download Splunk Universal Forwarder Using Your Old User Name And Password.

 

4) Forwarding Snort Logs To Splunk.

Step 1:- Move Splunk Forwarder into /opt/ Using mv Commend.

        mv splunkforwarder-8.2.2-87344edfcdb4-linux-2.6-amd64.deb /opt/

 



Step 2:- Install Splunk Forwarder Using This Commend.

        apt install ./splunkforwarder-8.2.2-87344edfcdb4-linux-2.6-amd64.deb 

        (file name of splunk forwarder)
 


Step 3: write below commands in terminal.

  ls

  cd splunkforwarder

  ls

  cd bin

 ./splunk start --accept-license

It will ask for username and password use your username and password same as spunk login username n password.

 

Step 4:- Write following command on terminal.

     ./splunk add forward-server 192.168.0.107:9997 

       write IP address as your windows system IP address and port as your Splunk port



Step 5:- write below commands in terminal.

cd ..
ls
cd etc
ls
cd system
ls
cd local
vi outputs.conf


outputs.conf file will open. in this file write following.

     [tcpout]
      defaultGroup = default-autolb-group
      [tcpout-server://192.168.0.107:9997]
      [tcpout:default-autolb-group]
      server = 192.168.0.107:9997,127.0.0.1:9997
      [tcpout-server://192.168.0.107:9997]  {your system(windows) ip address}
      [tcpout-server://127.0.0.1:9997] {your splunk browser ip address}


Step 6:- write following Command to monitor Snort log.

      sudo ./splunk add monitor /var/root/auth.log -sourcetype linux_secure

     sudo ./splunk add monitor /var/root/syslog -sourcetype syslog

       sudo ./splunk add monitor /root/log/snort.alert.fast

      sudo ./splunk add monitor /root/log/snort.alert

      sudo ./splunk add monitor /root/log/snort.log.1629974293


Step 7:- write below commands in terminal

     cd ..

    cd etc

    ls

    cd apps

    ls

    cd search

    ls

    cd local

    ls

    vi inputs.conf

inputs.conf file will open. in this file write following.

  [splunktcp://9997]
        connection_host = ip {Add IP address of your splunk browser}
        [monitor:///root/snort/]
        disabled = false
        index = main
        sourcetype = snort_alert_full
        source = snort


Step 8 : write below command.

./splunk restart


Step 9: In Splunk click on "Search & Reporting".


and then click on "Data Summary".


Now you can see live logs of snort in splunk.






Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Active Directory Ransomware Attacks

Image
    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...
Read more

Colt Telecom Hit by WarLock Ransomware: SharePoint Zero Day Used for Mass Data Theft

Image
  What Happened On August 12, 2025 , Colt Technology Services—a UK-based telecom giant—experienced a cyberattack that disrupted several internal support services, impacting systems like Colt Online, porting, and Voice API platforms, while core network services remained unaffected. Who Claimed Responsibility A threat actor using the handle "cnkjasdfgd," claiming to represent the WarLock ransomware group , offered 1 million stolen documents for US$200,000 , providing sample files to prove their legitimacy. Made Possible By The attackers exploited a critical zero-day vulnerability in on-premises Microsoft SharePoint (CVE‑2025‑53770), which was publicly patched on July 21, 2025. Technical Breakdown (“ToolShell” Exploit Chain) Attackers used a sophisticated exploit chain now dubbed ToolShell , involving multiple steps: 1. Initial Access – Bypassing Authentication A crafted HTTP POST to the /_layouts/15/ToolPane.aspx endpoint with a spoofed Referer header (/_layo...
Read more