Generating Artificial Snort Alerts and Implementing SELK: The Snort-Elasticsearch-Logstash-Kibana Stack
Technical Report,01 Jun 2016,12 Aug 2016
US Army Research Laboratory Adelphi United States
Pagination or Media Count:
This report details the development of an artificial Snort alert generator and the configuration of a Snort-Elasticsearch-Logstash-Kibana SELK stack for parsing, storing, visualizing, and analyzing Snort alerts. The first section covers the Snort alert-generation program, the methodology involved in developing it, and how it accelerates Snort-related research. The second section covers the development of configuration files and the pipeline for the SELK stack, followed by its deployment and uses. We develop the program, genalerts.py, which takes in a Snort rules file and generates artificial Snort alerts with a specified priority distribution for outputting high, medium, low, and very low alerts based on Snorts classifications. We construct the ELK pipeline, using Logstash to parse and organize Snort alerts. These generated alerts head this pipeline to create the SELK stack. To enable rapid deployment, we implement this system in a lightweight Lubuntu virtual machine that can be imported and used with VirtualBox or VMware. In addition, we provide an instructional guide on system setup. The methodologies described can be translated to the setup and use of the ELK stack for storing and visualizing any data.
- Computer Systems Management and Standards