Snort on Splunk
Snort configuration on Splunk Snort may be installed on a different server than Splunk but Splunk needs to have access to the MySQL database that stores the Snort events. In our case, we have a dedicated Snort server with a Splunk heavy forwarder installed to send the events to the indexer and the Splunk DB Connect App is installed on the heavy forwarder. Configure Snort 2.9.9.x, Barnyard2, PulledPork and BASE as described in https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf The document describes the installation in full details for both Ubuntu 14 and 16. Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic. - https://github.com/firnsy/barnyard2. Barnyard2 also stores