How to setup Splunk with the Snare Agents


SUMMARY

Aug 18, 2015

Some advice from users of Splunk and seeing the data sent from the Snare Agents.

To setup the installation:

  • Use custom ports for the Snare agents.  For example,  Snare Windows Agents TCP/6165, Snare Linux Agents TCP/6166, Snare OSX Mac Agent on TCP/6167, Snare Epilog Agent TCP/6169 etc. Then you may create special rules in Splunk for the custom searches and regular expressions.

  • Have a Linux server running RSYSLOG which all the Snare agents are sending to.  The Linux server has the free Splunk universal forwarder on it, so anything coming in on above ports are forwarded to the Splunk server with the sourcetype as appropriate.  For example, the rule listens on TCP/6165 and anything that comes in on that port is given the sourcetype [snare_windows].

  • The RSYSLOG send all its data to the two Splunk indexers.  Some users prefer not to have anything coming directly in Splunk so resources are tied up on the Splunk boxes with multiple connections.

  • If you require, set up other rules to handle infrastructure devices coming in on UDP/514 etc.

  • This will send the raw Microsoft event logs directly to Splunk.  You can check this by reviewing the logs captured by Snare using the WebUI on the local box, then doing a TCP dump on the SYSLOG box to see the raw logs.

  • Splunk will automatically create a new sourcetype once these logs start coming in as [snare_windows].

  • Restart the services on the SYSLOG box and the Splunk servers after making the above changes.

  • You should see the raw logs.  Now you may create field extractions specific to sourcetype [snare_window] or source:tcp6165 since anything coming in will be Windows logs.

  • Splunk ingests everything that it is sent.  If you are not seeing the raw logs, check any filtering, or other extractions occurring at indexing that is removing this information.