The architecure used within the lab is [allocation]
Checking network connections
The WAN network connects to VLAN 200, Private connects to VLAN 201 and DMZ connects to VLAN 202. Make sure (using the Edit Settings options on the VM) that Ubuntu connects to VLAN 201, and Windows 2003 and Windows 2008 connect to VLAN 202:
Setting up forwarder
Make sure you have setup your Splunk forwarder correctly, by selecting the "Customize Options" option, and then get the correct Snort location for the IDS alerts:
If you are not receiving your logs in Splunk, try re-installing the forwarder and check the options.
Making sure Snort is storing to alert.ids
Make sure you know where Snort is logging its alerts to. Have a look for alert.ids and see if it is filling with alerts that you are generating.
Snort crashes on IPv6 packet
In logging mode, Snort will crash if it tries to save to an IPv6 name, as the file name it creates in logging mode as a ":" symbol in it. To fix, remove the logging mode and Snort will not save the packets, and save in the log\alert.ids file.
snort -dev -i 1 -p -K ascii -c c:\Snort\rules\rule.rules
Remember to power-off your VMs when complete. The Windows servers should retain their static IP adddress. For Ubuntu, the main instance is set for DHCP. If you want a static IP address on your Ubuntu machine, edit your /etc/network/interfaces file (where your network is 192.168.x.0)
auto eth0 iface eth0 inet static address 192.168.x.7 netmask 255.255.255.0 network 192.168.x.0 broadcast 192.168.x.255 gateway 192.168.x.254 dns-nameservers 10.200.0.1