Forwarding Snort Live Logs To Splunk.

To forward live snort logs to Splunk we need to follow 4 main step as below.

1) Splunk Port Configuration.
2) Firewall Setup.
3) Download Splunk Forwarder in Kali.
4) Step to forward snort live log to Splunk.


1)Splunk Port Configuration

Step 1:- Go to https://www.127.0.0.1:8000

Step 2:- Click on Setting And Select "Add Data" And Then Select "Forwarding & Receiving".

 


Step 3:- In Receiving Data Click On "Configure Receiving".

 


Step 4:- And Add Port Number 9997. 

        {9997 is Default Splunk Port Number}

Now You Can See Successfully We Added Receiving Port .

Step 5:- click on Apps and then select on "Find More Apps".

 


Step 6:- search snort and then install "Snort Alert For Splunk".


step 7:- It will ask you to username and password use same username and password as Splunk, and then click on "Login and Install".



2)Firewall Setup

Step 1:- Then Go To Windows Control Panel and Open Windows Firewall.
 


Step 2:- Click On "Advance Settings".

 


Step 3:- Click On "Inbound Rules" And Then Click On Click On 'New Rules".
 


Step 4:- "Rule Type" Page Will Open Click On "Port" And Then Click On "Next" Button.
 


Step 5:- Select "TCP" And Specified Port "9997" And Then Click On Next Button.

        {9997 is Default Splunk Port Number}

 


Step 6:- Allow The Connection And Click On "Next" Button.
 


Step 7:- Click On "Next" Button.
 


Step 8:- Give "Name" Of Rules And Click On "Finished" Button.

 

Now You Can See The Created Rule.


 

3) Download Splunk Forwarder in Kali.

Step 1:- Go to https://www.splunk.com


Step 2:- Download Splunk Universal Forwarder Using Your Old User Name And Password.

 

4) Forwarding Snort Logs To Splunk.

Step 1:- Move Splunk Forwarder into /opt/ Using mv Commend.

        mv splunkforwarder-8.2.2-87344edfcdb4-linux-2.6-amd64.deb /opt/

 



Step 2:- Install Splunk Forwarder Using This Commend.

        apt install ./splunkforwarder-8.2.2-87344edfcdb4-linux-2.6-amd64.deb 

        (file name of splunk forwarder)
 


Step 3: write below commands in terminal.

  ls

  cd splunkforwarder

  ls

  cd bin

 ./splunk start --accept-license

It will ask for username and password use your username and password same as spunk login username n password.

 

Step 4:- Write following command on terminal.

     ./splunk add forward-server 192.168.0.107:9997 

       write IP address as your windows system IP address and port as your Splunk port



Step 5:- write below commands in terminal.

cd ..
ls
cd etc
ls
cd system
ls
cd local
vi outputs.conf


outputs.conf file will open. in this file write following.

     [tcpout]
      defaultGroup = default-autolb-group
      [tcpout-server://192.168.0.107:9997]
      [tcpout:default-autolb-group]
      server = 192.168.0.107:9997,127.0.0.1:9997
      [tcpout-server://192.168.0.107:9997]  {your system(windows) ip address}
      [tcpout-server://127.0.0.1:9997] {your splunk browser ip address}


Step 6:- write following Command to monitor Snort log.

      sudo ./splunk add monitor /var/root/auth.log -sourcetype linux_secure

     sudo ./splunk add monitor /var/root/syslog -sourcetype syslog

       sudo ./splunk add monitor /root/log/snort.alert.fast

      sudo ./splunk add monitor /root/log/snort.alert

      sudo ./splunk add monitor /root/log/snort.log.1629974293


Step 7:- write below commands in terminal

     cd ..

    cd etc

    ls

    cd apps

    ls

    cd search

    ls

    cd local

    ls

    vi inputs.conf

inputs.conf file will open. in this file write following.

  [splunktcp://9997]
        connection_host = ip {Add IP address of your splunk browser}
        [monitor:///root/snort/]
        disabled = false
        index = main
        sourcetype = snort_alert_full
        source = snort


Step 8 : write below command.

./splunk restart


Step 9: In Splunk click on "Search & Reporting".


and then click on "Data Summary".


Now you can see live logs of snort in splunk.






Comments

Post a Comment

Popular posts from this blog

Colt Telecom Hit by WarLock Ransomware: SharePoint Zero Day Used for Mass Data Theft

Image
  What Happened On August 12, 2025 , Colt Technology Services—a UK-based telecom giant—experienced a cyberattack that disrupted several internal support services, impacting systems like Colt Online, porting, and Voice API platforms, while core network services remained unaffected. Who Claimed Responsibility A threat actor using the handle "cnkjasdfgd," claiming to represent the WarLock ransomware group , offered 1 million stolen documents for US$200,000 , providing sample files to prove their legitimacy. Made Possible By The attackers exploited a critical zero-day vulnerability in on-premises Microsoft SharePoint (CVE‑2025‑53770), which was publicly patched on July 21, 2025. Technical Breakdown (“ToolShell” Exploit Chain) Attackers used a sophisticated exploit chain now dubbed ToolShell , involving multiple steps: 1. Initial Access – Bypassing Authentication A crafted HTTP POST to the /_layouts/15/ToolPane.aspx endpoint with a spoofed Referer header (/_layo...
Read more

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Hackers use DNS tunneling for network scanning, tracking victims

Image
  Threat actors are using Domain Name System (DNS) tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. DNS tunneling is the encoding of data or commands that are sent and retrieved via DNS queries, essentially turning DNS, a fundamental network communication component, into a covert communications channel. The threat actors encode the data in various ways, such as Base16 or Base64 or custom textual encoding algorithms, so they can be returned when querying DNS records, such as TXT, MX, CNAME, and Address records. Hackers commonly use DNS tunneling to bypass network firewalls and filters, employing the technique for command and control (C2) and Virtual Private Network (VPN) operations. There are also legitimate DNS tunneling applications, such as for bypassing censorship. Palo Alto Networks' Unit 42 security research team recently discovered additional use of DNS tunneling in malicious campaigns...
Read more