Friday, July 13, 2012

SIEM Splunk firewall log analysis - Part 1


Today, I am going to walkthrough some of the monitoring techniques that could be used within splunk to  watch out for port scanning and malicious smtp traffic within firewall logs. 

·         Port Scan detection (i.e. a single source to a single destination, on multiple dst_ports in a given time)
…|earliest=-15m@m latest=-5m@m| bin _time span=1m | stats dc(dest_port) as port_count by src_ip, dest_ip _time | where port_count > 100
  • ·         Port Sweep detection (i.e. single source to multiple destinations on a single port in a given time)

…|earliest=-15m@m latest=-5m@m| bin _time span=1m | stats dc(dest_ip) as multiple_dest by src_ip, dest_port _time | where multiple_dest > 100
  • ·         Multiple dropped/blocked connection attempts on high ports (over 1024) within a certain timeframe

…|dest_port>1024 (action="blocked" OR action="deny*" OR action="drop*")  earliest=-15m@m latest=-5m@m| bin _time span=1m | stats count by src_ip, dest_port | where count > 100
  • ·         Detection of anything on dst_port 6667

… dest_port=6667 | stats count by src_ip, dest_ip, action, dest_port

  • ·         Known malicious port activity

…….dest_port=666 OR dest_port=1001 OR dest_port=1011 OR dest_port=1170 OR dest_port=1234 OR dest_port=1245 OR dest_port=1492 OR dest_port=1600 OR dest_port=1807 OR dest_port=1981 OR dest_port=1999 OR dest_port=2001 OR dest_port=2023 OR dest_port=2115 OR dest_port=2140 OR dest_port=2801 OR dest_port=30129 OR dest_port=3700 OR dest_port=4092 OR dest_port=4590 OR dest_port=4156 | chart count by dest_port

Additionally, monitoring outbound email traffic, regardless of whether the traffic is allowed or blocked by the firewall, is a highly effective method for detecting compromised hosts its important to keep an eye out for a massive amount of SMTP outbound traffic

Also,monitor any outbound traffic destined for port 25.  However, be sure to exclude valid SMTP senders such as mail servers, web servers which email forms and vulnerability scanners..

Part two with more detail will continue.

Wednesday, July 11, 2012

Splunk – Using Lookup Files


Splunk – Using Look-up Files

Below steps is on how to configure and use look up files within splunk. 
  • Step 1: Add a lookup csv file in Lookup table files



  • Step 2: Map the lookup table file to the lookup definitions


  • Step 3: Verify whether the lookup works in the Search Head
|inputlookup ip_webattackerlist
                







  • Step 4: Here the ip field contains ip range rather than ip, so separate the ip range into ip’s and verify its displays as intended
|inputlookup ip_webattackerlist | rex field=ip "(?<ipnew>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
OR   |inputlookup ip_webattackerlist | rex field=ip "(?<ipnew>[^-]+)"

  • Step 5: Search the logs for presence of malicious src_ip being present in the logs
Index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip]
  • Step 6: Chart the output into a dashboard
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src>[^-]+)" | dedup src | fields src] | lookup ip_webattackerlist ip AS src output description | stats count by src descriptionOR
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip] | lookup ip_webattackerlist ip AS src_ip output description | stats count by description
OR
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip] | lookup ip_webattackerlist ip AS src_ip output description | stats count by src_ip
  • Step 7: To add new src_ip to the list
| stats count | rename count as ip | eval ip="69.28.58.28,202.177.218.43,49.183.211.42,50.17.211.194,122.150.35.248" | makemv delim="," ip | mvexpand ip | eval description="known_attacker" | inputlookup append=t ip_webattackerlist | outputlookup ip_webattackerlist