Generating Artificial Snort Alerts and Implementing SELK: The Snort–Elasticsearch–Logstash–Kibana Stack

Report No. ARL-TR-8175
Authors: Daniel E Krych, Joshua Edwards, and Tracy Braun
Date/Pages: September 2017; 36 pages
Abstract: This report details the development of an artificial Snort alert generator and the configuration of a Snort–Elasticsearch–Logstash–Kibana (SELK) stack for parsing, storing, visualizing, and analyzing Snort alerts. The first section covers the Snort alert-generation program, the methodology involved in developing it, and how it accelerates Snort-related research. The second section covers the development of configuration files and the pipeline for the SELK stack, followed by its deployment and uses. We develop the program, gen_alerts.py, which takes in a Snort rules file and generates artificial Snort alerts with a specified priority distribution for outputting high, medium, low, and very low alerts based on Snort's classifications. We construct the ELK pipeline, using Logstash to parse and organize Snort alerts. These generated alerts head this pipeline to create the SELK stack. To enable rapid deployment, we implement this system in a lightweight Lubuntu virtual machine that can be imported and used with VirtualBox or VMware. In addition, we provide an instructional guide on system setup. The methodologies described can be translated to the setup and use of the ELK stack for storing and visualizing any data.
Distribution: Approved for public release
  Download Report ( 1.065 MBytes )
If you are visually impaired or need a physical copy of this report, please visit and contact DTIC.
 

Last Update / Reviewed: September 1, 2017