Private GIT

Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
1 result

snort-siem-grafana

  • Clone with SSH
  • Clone with HTTPS
    • user avatar
    added configs
    molu8bits authored
    55e1ca9e
    History
    user avatar 55e1ca9e
    History
    Name Last commit Last update
    _images
    grafana_dashboard
    logstash-configs
    snort-configs
    README.md
    README.md

    Snort2 grafana dashboard

    While some IDS/IPS systems still wait for upgrade to Snort3 where JSON logging is available (or Suricata) it may be useful give elasticity of logs handling given by Elasticsearch and Grafana for Snort2

    Project is based on existing grafana security dashboard Security center but removes existing hard-coded dependencies and provides all configuration details for Snort, Barnyard2, Elasticsearch and Grafana.

    Logs flow and components:

    Example dashboards:

    Snort configuration: Snort uses "-l" configuration inside systemd service definition to inform what is the log output directory.

    Barnyard2 configuration:

    Barnyard2 takes files from snort and sends them via UDP protocol to Logstash server listening to 5142 udp port

    Logstash:

    Logstash listen to 5142 and all logs marks with "snort" tag. Tagged "snort" logs are treated with grok and later some transformation. Output for snort log is set to elasticsearch and index name like snortids-%YY-%MM-%dd

    Grafana:

    Just connects to defined Elasticsearch clusters:

    EL datasource definition (before importing Grafana dashboard):

    Another place to be (or not)