Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionSecurity Onion (http://securityonion.blogspot.com/) is a Linux distribution for intrusion detection and network security monitoring. Security Onion for Splunk is designed to run on a Security Onion server, providing an alternative method for correlating events and incorporating field extractions and reporting for Sguil, Bro IDS and OSSEC. Security Onion:Security Onion (<http://securityonion.blogspot.com/>) is a Linux distribution for intrusion detection and network security monitoring. Security Onion for Splunk is designed to run on a Security Onion server, providing an alternative method for correlating events and incorporating field extractions and reporting for Sguil, Bro IDS and OSSEC. (For a detailed description of the application with screenshots: <http://eyeis.net/2012/04/splunking-the-onion/>.) Overview:Splunk for Security Onion provides several dashboards and search interfaces for correlating Sguil, OSSEC and Bro IDS log events. Required Splunk Apps:Sideview Utils - <http://splunk-base.splunk.com/apps/36405/sideview-utils> Prerequisites:A Security Onion server and a Splunk 5.x installation. (Note: when installing Splunk on a Security Onion system there will likely be a port conflict for the Splunk web server. Port 81 as an alternate port should be a safe alternative.) Setup Splunk:Download from www.splunk.com. Install via terminal command: When install completes, we need to start Splunk for the first time: After accepting the agreement, you'll have to pick an alternate port for the Splunk web interface since the default is in use. You'll see the following and when prompted to change, choose yes, then specify port 81: Checking prerequisites... Splunk's built-in way to run at boot time is (as root): $SPLUNK_HOME/bin/splunk enable boot-start with an optional user=foo at the end to run as a certain user. It installs proper boot scripts for your OS so you don't need to worry about editing /etc/rc.* files: Install Required Splunkbase Apps:Open Firefox and browse to <http://localhost:81> (or if you used an alternate port change accordingly). Change your password, then click App > Find More Apps from the menu in the upper right corner. Find the following apps and install them. Configure Bro IDS Inputs:Depending on how much traffic your sensor monitors, you may need to leave some of the Bro inputs disabled to avoid maxing out your license. The following are the sourcetypes configured for each Bro IDS log data input: Using Splunk for Security Onion:I've standardized the source and destination IP fields in the Bro IDS and Sguil log field extractions so "src_ip" and "dest_ip" are consistent across events. Log file data inputs are file specific (as opposed to monitoring the entire /nsm/bro/logs/current/ directory) primarily for granular control over what gets splunked. Depending on your licensing you may need to scale back certain logs and this provides an easy way to do so. SOstat Monitoring:The SOstat monitoring scripts are configured to run at various intervals (in seconds). The default settings are very conservative, Sourcetype - Script - Interval (seconds) The default settings can be modified via Splunk Manager > Data Inputs > Scripts. Click on the script name in the "Command" column to increase/decrease the interval. You can also disable/enable scripts. Comments or Questions:For comments, suggestions or questions, feel free to drop me an e-mail: brad@eyeis.net Hope you enjoy the app! Brad Shoop Versions and Release Notes
Version 2.0 (current version - updated Jan 01, 2013)
release notes:
*IMPORTANT* - Security Onion for Splunk 2.0 supports the latest release of Security Onion 12.04. If you are running the older version, Security Onion 10.04, please continue to use version 1.1.7. Sideview Utils is now a required app, available from Splunkbase. 2.0 contains updated log sources and field extractions for Security Onion 12.04, includes several updated/enhanced dashboards including Overview, IR Search and SOstat, and introduces the new dashboard "Bro(wser)" for reviewing Bro IDS logs.
Version 1.1.7
(updated Sep 14, 2012)
release notes:
1.1.7 - Tweaked Sguil indexing to prevent Bro URL data from being duplicated into Splunk via sguild.log. - Monitors dashboard field name drop down selections added to all panels. - General Mining dashboard added panels for Bro SSH logs and Bro HTTP TLDs (top level domains). Also added drop down options for Bro FTP and IRC panels. - Squil Mining has been updated and improved. - Syslog Mining dashboard added for Bro Syslog. - An Event Workflow was added for searching Splunk for events by src_ip.…and last but not least: - CIF Dashboards! See README for details on how to configure CIF integration.
Version 1.1.6
(updated Aug 24, 2012)
release notes:
1.1.6 - Sguil mining - added ability to drilldown on source or destinations to timechart of activty by sourcetype for selected IP.
Version 1.1.5
(updated Aug 23, 2012)
release notes:
1.1.5 - Performance improvements on several dashboards and fixed a bug in Sguil mining.
Version 1.1.4
(updated Aug 04, 2012)
release notes:
1.1.4 - Minor bug fix to IDS rule reference full document lookup.
Version 1.1.3
(updated Jul 20, 2012)
release notes:
1.1.3 - Added SOstat IDS Rules: indexes /etc/nsm/rules/*.rules and provides an easy to use interface for referencing rules for tuning. Sort by classtype, category, enabled status, and/or rule source and drilldown on a rule to see it's activity history and the full rule entry complete with Splunk event workflow lookups by BugtraqID, CVE ID and URL. - Added VRT reference workflow lookup. For Sguil events with a sig_id, you can now use the Events view workflow menu to view the Snort signature reference document in a new window, when available. - Added SOstat ability to sort by sensor to provide See README and http://eyeis.net/2012/07/security-onion-for-splunk-1-1-3-ids-rule-reference/ for full details.
Version 1.1.2
(updated Jul 08, 2012)
release notes:
Workflow field and event search items added for CIF, DShield and Robtex. Most panel
Version 1.1.1
(updated Jun 22, 2012)
release notes:
1.1.1 - Minor update to get src_ip into Known Knowns and fix a typo. Also tweaked sguild inputs to better support non-standard timezone setting environments.
Version 1.1
(updated Jun 18, 2012)
release notes:
http://eyeis.net/2012/06/security-onion-1-1-for-splunk/ I've added an input for Bro's capture_loss.log which now displays on the SOstat Security Onion monitor in a time chart paired with Snort packet loss. To enable this log in Bro edit: I also tweaked the sguild inputs to exclude "{URL" events. This data is already being consumed via bro_http so it should cut down on the licensing volume. Monitors Dashboard GeoIP Mining PADS SOstat
Version 1.0
(updated May 23, 2012)
release notes:
See README or check http://eyeis.net/2012/05/security-onion-1-0-for-splunk/
Version 0.9
(updated May 09, 2012)
release notes:
Bro's http.log will be using a log file per interface in mutli-interface sensors. This update adds a data input to capture them.
Version 0.8
(updated Apr 26, 2012)
release notes:
Added CIF (Collective Intelligence Framework: http://code.google.com/p/collective-intelligence-framework/) query capability to the field and event menus in Splunk. For the links to work you will need to update the workflow actions for your CIF server and a valid API key. Edit the workflow via Splunk Manager > Fields > Workflow action from the Security Onion app context and you should see two CIF entries.
Version 0.7
(updated Apr 24, 2012)
release notes:
SOstat update to include folder sizes. Mining menu additions: HTTP mining and SMTP mining.
Version 0.6
(updated Apr 22, 2012)
release notes:
Added Bro stats.log monitoring to SOstat Server/Service Status panel (sourcetype = bro_stats). Added Bro irc.log monitoring to Mining dashboard (sourcteype = bro_irc). Added Bro smtp_entities filename monitoring to Mining dashboard (sourcetype = bro_smtp_entites)
Version 0.5
(updated Apr 15, 2012)
|
Fantastic app!!! I was having a hard time wrapping my head around some of the Security Onion features and this app made everything so much easier to grasp. Thanks for your hard work!!
Brad This app is great! Keep up the good work. Brings together alot of the underworkings of the tools in Security Onion. Most importantly, very easy access to the BRO data!
-rossw
Excellent tool for use with Security Onion. And it offers so much information out of the box with little config.
Thanks Brad
Splunk's built-in way to run at boot time is (as root): $SPLUNK_HOME/bin/splunk enable boot-start with an optional user=foo at the end to run as a certain user. It installs proper boot scripts for your OS so you don't need to worry about editing /etc/rc.* files.
Learn something new about Splunk every day. Description updated.
Thanks
Also remember that if you are running as a non-root user (user splunk is the default for .rpm, and I assume .deb installs as well) you will not be able to open port 81, as under 1024 are reserved for root. Try 8001, 9000, or some other high port.
