Security Onion 1.1 for Splunk

README notes w/ bonus comments for Version 1.1

I’ve added an input for Bro’s capture_loss.log which now displays on the SOstat Security Onion monitor in a time chart paired with Snort packet loss. To enable this log in Bro edit:


and add the following:

@load misc/capture-loss

You’ll have to check and install Bro for the change to get loaded.

sudo broctl

and you’re done. It takes a few before the first logged event will show so give it a bit before you worry if it’s working. (The main reason I added this aside from the value is it will likely be standard in SO down the road. It’s completely optional and if I didn’t tell you about it you’d be none the wiser unless you did have it turned up, in which case you’d be pleasantly surprised.)

I also tweaked the sguild inputs to exclude “{URL” events. This data is already being consumed via bro_http so it should cut down on the licensing volume. (This will save you a ton of indexing volume and alone is worthy of updating!)

Monitors Dashboard

  • Returned misc-activity to the Sguil panel. (I’d yanked it due to the volume of URL events, but since we’re leaving those to bro_http, it’s value returns.)
  • Added date/time and raw event to drill down display for the FTP Args panel.


  • A drop down list has been added to GeoIP allowing you to search GeoIP by sourcetype which should reduce query times for more targeted views. The map also now includes drill down capabilities with results appearing below the map when selected. (Neatest update. Much more efficient than relying on all connections and lets you get geo visibility into each sourcetype.)


  • Added drill down to the time chart panels for HTTP and SMTP mining

(The following additions bring a little asset and vulnerability management to the game via two dashboards: PADS [passive asset detection] andย  Bro’s Known Knowns.)

  • Added a PADS dashboard (similar to HTTP and SMTP mining) searchable by Name, Classification, Source IP, Source Port, Destination IP, Destination Port, Protocol, and Severity.
  • Added a Known Knowns dashboard. Includes: Known Services; Known Software searchable by Name and Type; and Known Certs searchable by Country, Common Name, Certificate Issuer Subject, Location, Organization, Organizational Unit, Port Number, State, and Certificate Subject.


  • Created an event type for PADS in addition to the PADS Mining dashboard.


  • Updated SOstat SO to include Bro capture loss in addition to Snort packet loss. (Also improved the packet/capture loss displays to be more “deployment friendly” tracking by host or sensor.)


Few screenshots for @remor:

1.1 GeoIP1.1 Known Knowns

1.1 PADS

10 thoughts on “Security Onion 1.1 for Splunk

  1. Wonderful job on this, the only annoyance that I have found is the inability to pop snorby or squert to new windows from the nav bar. Tried changing the xml to this:
    Squert but it seems to disregard the change. Any suggestions?

  2. the code seems to have stripped from the previous post, the modified portion was simply a target=”_blank” trailing the url

  3. Thanks! The Snorby/Squert links are annoying. I get around it by just opening in a new window. Splunk strips out pretty much any HTML content after href= unfortunately. There might be a work around by doing some custom scripting but I’ve not had a chance to dive into it yet. I’m also planning on reporting the issue to Splunk but I’m not sure if they’ll see it as a “bug” or “working as intended.”

  4. So here’s an interesting little hiccup, it seems that I can no longer see any SGUIL events newer than 6-30-2012, could you possibly point me in the right direction to identifying this issue? SGUIL is definitely logging plenty of events just not being picked up by the splunk app.


  5. My first guess is going to be a Sguil uncategorized events issue. Have you launched the Sguil client lately and classified (F8) the alerts? In testing, I’ve seen something similar due to a high volume of uncategorized events. Another symptom is if you launch the Sguil client and have issues with it connecting.

    If this is the issue, the Security Onion wiki has a page on Managing Alerts that is helpful. Additionally, Richard Bejtlich has an incredibly informative blog entry over at TaoSecurity.

    The quick way to check is to open a terminal and type:

    msyql -uroot -Dsecurityonion_db

    At the prompt enter:

    SELECT COUNT(*) AS cnt, signature, signature_id FROM event WHERE status=0 GROUP BY signature ORDER BY cnt DESC LIMIT 20;

    That will give you a count of Sguil’s uncategorized alerts volume by signature. If there’s any events with a high count it’s likely your issue. Richard Bejtlich’s entry has specific details on how you can go about classifying them with MySQL queries to get Sguil healthy again.

    Both Sguil and Snorby expect you to classify events regularly. A lot can be done with automation if you don’t want to maintain them, but I would suggest going through them for a while at least with a focus on getting the alerts tuned and familiar with what is “normal” in your environment.

    Let me know if that doesn’t look like the issue.

  6. Don’t think that is it, deleted all events from the event table restarted the sensor/server services, ran the above query and it shows less than 10000 events that have not been categorized. squert is now showing a total of 18k events, snorby however is still showing 2.2M events. Don’t know if either of those two are related to this issue but,thought that i would add that just in case. I really love your addon and would hate to have to reload the SO/splunk server just to get it working again ๐Ÿ™

  7. one other interesting note, the SOStat page displays 2.6M sguil events not categorized.

  8. If Sguil is showing that many events not categorized then that is your problem. The the mysql “SELECT COUNT” query I posted and you’ll see what events are the highest hitters that you might want to tune out via threshold.conf or disablesid.conf.

    The easiest way to recover from the issue is to just rerun the Setup icon on the Security Onion desktop. That will reinitialize the databases and reset sguil to get you a clean slate. It is very important to categorize events in Sguil and Snorby. Both expect someone to be monitoring them fairly regularly. If you don’t have the cycles for that, you can always look at automating some sguil categorizations based on the SO wiki page and TaoSecurity’s blog entry.

  9. ran setup again for SO, still no joy, applied the recent update to the SO splunk app and poof, it started working again, weird.
    Thanks for your help. Love this app.

  10. Excellent! Glad to hear you got it squared away and that you’re finding the app useful.

    Feel free to give it a review on the Splunk site next time you’re over there. ๐Ÿ˜‰

Leave a Reply