Community:Splunk for Network Security
From Splunk Wiki
The Splunk Network Security application offers a set of reports, saved searches, and dashboards, as well as corresponding alerts that you can use to monitor your firewalls, intrusion detection and prevention systems, as well as operating systems.
- over 30 firewall, intrusion detection system, and operating system reports
- over 40 searches
- various alerts to monitor the environment for security violations
- dashboards to show firewall and intrusion detection/prevention system status
- eventtypes to identify spyware traffic, bogon address space use, etc.
This screenshot shows how the Splunk for Network Security application applies event decorations to each event that matches certain criteria. Here you can see how insecure traffic is flagged. Traffic associated with, for example POP, or IMAP is not encrypted and passwords are transmitted in the clear. It is often important to know when such protocols are being used on the network. A similar technique is used to flag traffic from bogon addresses, as well as identify traffic that is commonly used by trojans and spyware.
This report shows the number of failed logins over the last day, broken out by users. The graph helps identify outliers. If you see specific users failing a lot of times that can be a warning sign. Either you are dealing with a mis-configuration or someone is trying to brute-force attack the account.
This is part of the firewall dashboard. On top you can see the top blocked services. This helps to identify what services have been blocked most. Either there are clients which are mis-configured and try to use these services. Maybe the firewall is mis-configured and should allow this traffic through. This view can help identify infected internal machines that are suddenly trying to use a new protocol to spread. The bottom part of the dashboard shows what sources have been blocked most. Again, this could help identify either infected internal machines or aggressive external offenders.
The intrusion detection dashboard summarizes alerts from intrusion detection systems. In this case, the top part shows over time, what sources have raised alerts. The example shown identifies that there were violations only at a single day over the last week. This could be a very well tuned IDS system or it could indicate that the IDS was actually down for a number of days. The bottom part of the screenshot shows the top signatures that were triggered on the IDS. This can help tune signatures or give a generic overview of what the threat landscape looks at the moment.
This screenshots shows intrusion detection activity over time. The top part shows a break-down of signatures over time, while the bottom part shows a break-down by sources.
Install the application
To install the Splunk Network Security application, download the application via the Administration interface in Splunk. Or unpack the SPL file inside $SPLUNK_HOME/etc/apps. The SPL file is a regular tar.gz file. If you have trouble, rename the .spl file to .tar.gz and then unpack it.
Configure the application
Note: The Network Security application may require additional services to be customized for your environment.
For all the searches, you should make sure that they are owned by the correct user. The easiest way to do this is to use the savedsearches.conf_local file and place it in $SPLUNK_HOME/etc/apps/local/savedsearches.conf. Edit the file and assign the searches to the right user and role (based on the template). Note, if you are using LDAP, you need to use user names, and not user IDs in the configuration file.
Summary index searches (ones that contain "- SI -") are not scheduled by default. You need to manually enable all the searches that you need for your environment.
Adjust event types
You may have to adjust some event types to ensure that they properly match your data. To edit these, open the application's eventtypes.conf file. Be sure to read the comments in the file that explain each group of stanzas and edit where needed to make the event types meet your own needs. The following is an eventtype you should definitely configure:
There are three transforms defined in transforms.conf:
You should configure at least the latter two for your environment. The REGEX line should match your corresponding address spaces. The Bogon-IP-space should be updated on a regular basis, according to: http://www.cymru.com/Documents/bogon-bn-nonagg.txt
Set up alerts
Some of the saved searches in this application have alerts associated with them. All of the alerts are disabled by default. You need to enable the ones that you need.
To get the most benefit from the application, you should install and enable the following applications / inputs:
- Splunk for UNIX application
- netstat input (part of Splunk for UNIX)
- Intrusion detection system inputs (e.g., Splunk for Snort)
- Firewalls (e.g., Splunk for PIX)