Generating Artificial Snort Alerts and Implementing SELK: The Snort-Elasticsearch-Logstash-Kibana Stack
Abstract
This report details the development of an artificial Snort alert generator and the configuration of a Snort-Elasticsearch-Logstash-Kibana (SELK) stack for parsing, storing, visualizing, and analyzing Snort alerts. The first section covers the Snort alert-generation program, the methodology involved in developing it, and how it accelerates Snort-related research. The second section covers the development of configuration files and the pipeline for the SELK stack, followed by its deployment and uses. We develop the program, gen_alerts.py, which takes in a Snort rules file and generates artificial Snort alerts with a specified priority distribution for outputting high, medium, low, and very low alerts based on Snorts classifications. We construct the ELK pipeline, using Logstash to parse and organize Snort alerts. These generated alerts head this pipeline to create the SELK stack. To enable rapid deployment, we implement this system in a lightweight Lubuntu virtual machine that can be imported and used with VirtualBox or VMware. In addition, we provide an instructional guide on system setup. The methodologies described can be translated to the setup and use of the ELK stack for storing and visualizing any data.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2017
- Accession Number
- AD1039923
Entities
People
- Daniel E. Krych
- Joshua Edwards
- Tracy Braun
Organizations
- United States Army Research Laboratory