Sunday, July 31, 2016

Detecting Web Shells

If a SIEM team during the hunting exercise (or how ever) suspects that a web-shell is present on the monitored web server, the following are some things to examine.

In Splunk, inputs.conf similar to the below and a sourcetype of access_combined / acces_common or access_combined_wcookie (with cookie at the end) can help auto extract the key fields like clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie.

 [monitor:///var/log/httpd/access_log]
 sourcetype=access_combined
  • The server access and error logs can be searched for common keywords that are being used by web shells. This includes filenames and/or parameter names. The example looks for the string ‘.php’ in URLs in Apache HTTP Server’s access log
  • The filesystem (usually the web server root) must be searched for common strings in files or filenames.
  • Search for very long strings which may indicate encoding. Some backdoors have thousands of lines of code.
  • Search for modified files in the last day/s. In the following example , search for *.php files changed within the last day but it is recommended to search for any file change as a web-shell can also be embedded into an image or any other file.
  • Monitor network for unusual network traffic and connections.
  • Analyze .htaccess files for modifications. Observe the  changes an attacker might make to .htaccess files.

Acunetix has a great, really comprehensive 5 part article about web shells which covers:

Sample generic Splunk searches to hunt for keywords and notable events
Sample generic Splunk searches to hunt for keywords and notable events 
Activity over time with refernence line to indicate the slope or dip in activity
      $index_token$ $sourcetype_token$"$keyword_field$" | timechart count as yvalue | `lineartrend(_time,yvalue)`|timechart sum(yvalue) sum(newY)|rename sum(yvalue) as count|rename sum(newY) as slope<

Supporting Macro
[lineartrend(2)]
args = x,y
definition = eventstats count as numevents sum($x$) as sumX sum($y$) as sumY sum(eval($x$*$y$)) as sumXY sum(eval($x$*$x$)) as sumX2 sum(eval($y$*$y$)) as sumY2 | eval slope=((numevents*sumXY)-(sumX*sumY))/((numevents*sumX2)-(sumX*sumX)) | eval yintercept= (sumY-(slope*sumX))/numevents | eval newY=(yintercept + (slope*$x$)) | eval R=((numevents*sumXY) - (sumX*sumY))/sqrt(((numevents*sumX2)-(sumX*sumX))* ((numevents*sumY2)-(sumY*sumY))) | eval R2=R*R
iseval = 0

Predict Keyword Occurrences
$index_token$  $sourcetype_token$"$keyword_field$" | timechart count|predict count future_timespan=5
        
Predict Keyword Recession   
$index_token$  $sourcetype_token$"$keyword_field$" | timechart count|predict count|rename upper95(prediction(count)) as ceiling | rename lower95(prediction(count)) as floor | eval excession=if(count &> ceiling, "100", "0") | eval recession=if(count &< floor, "-100", "0") | table _time,excession,recession,count,ceiling,floor

Cluster command to find anomalies by grouping like events
 $index_token$  $sourcetype_token$"$keyword_field$" | cluster showcount=t t=0.5 | table _time, cluster_count, _raw | sort cluster_count
Reduced events keeping last 5 of each type
 $index_token$ $sourcetype_token$"$keyword_field$" | cluster showcount=t t=0.5  labelonly=t | table _time, cluster_count, _raw | sort cluster_count, - _time<
Outliers: events greater than average count + standard deviation
 $index_token$ $sourcetype_token$"$keyword_field$"|stats count by source |eventstats avg(count) as avg_count stdevp(count) as stdev_count|where count&>(avg_count+stdev_count)
Find Anomalies by Rare Punctuation
     $index_token$  $sourcetype_token$"$keyword_field$" |stats count(punct) as count first(punct) as punctuation first(_raw) as sample by source |sort count |head 10| table count punct source  sample</
Top 10 Punctuations
 $index_token$  $sourcetype_token$"$keyword_field$" |stats count first(punct) as punctuation first(_raw) as sample first(sourcetype) as sourcetype by punct|sort - count|head 10|table count punct sample sourcetype

Appendix

###### To get the list of Index #####
<input>
  <populatingSearch earliest="-4h@h" latest="-5m@m" fieldForLabel="index" fieldForValue="index">| eventcount summarize=false index=*  | stats sum(count) as totalCount by index  | sort - totalCount</populatingSearch>
  <choice value="*">All</choice>
 </input>
 ###### To get the list of sourcetype #####
 <input type="multiselect" token="sourcetype_token" searchWhenChanged="false">
      <default>*</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>sourcetype="</valuePrefix>
      <valueSuffix>"</valueSuffix>
   <delimiter> OR </delimiter>
   <populatingSearch earliest="-4h@h" latest="-5m@m" fieldForLabel="sourcetype" fieldForValue="sourcetype">| metadata index=* type=sourcetypes  | fields + sourcetype</populatingSearch>
  <choice value="*">All</choice>
  </input>
###### Search for Keyword #####
  <input type="text" token="keyword_field">
  <label>Enter keyword (e.g. error) to find</label>
  <default>Experibot*</default>
  </input>
 <input type="time" token="field1">
  <label>Time</label>
      <default><earliest>-1d@d</earliest><latest>@d</latest>
      </default></input>
  </fieldset>


Saturday, July 30, 2016

Splunk Enterprise Security 3.0 - Out-of-the Box Security UseCases

Splunk Enterprise Security (ES 3.0) utilises the domain capabilities to provide an overall view of the organisation's security posture.  Splunk achieves this by taking events from various critical log sources and assign them as Security Domains, which are then categorised into high level domains called Access, Identity, Endpoint, Network, Web Domain.

The SIEM Designer/Engineer has to normalise the events as per the Common Information Model (CIM) pertaining to the domain itself. Once they are appropriately normalised, the default dashboards can assist the security team with the following use-cases. Along with power search capability and Datamodel's enabling  further custom use-cases as required.

Access Domain 
  1) To identify security incidents involving authentication attempts such as brute-force attacks, or the use of clear text passwords, or for identifying authentications to certain systems in off-hours.
  2) To obtain an overview of accounts that are newly active or newly inactive, including accounts that have been inactive for a period of time and recently became active again.
  3) To identify accounts that incorrectly remain on the system when a user leaves the Organization. These accounts are often vulnerable to attackers.
  4) To identify suspicious accounts and look more closely at what those users have been doing.
  5) To verify  accounts that are being administered correctly and that administration privileges for each type of account are restricted to the correct users and roles. A sudden increase in the number of accounts created, modified, or deleted can mean a rogue system or malicious behaviour. A high number of account lockouts may indicate an attack
  To Verify "default accounts", that is, out-of-the-box accounts that are disabled by default on various systems, including network infrastructure devices, databases, and applications. Default accounts have well-known passwords and are often not disabled properly when the system is deployed. Abnormal or deviant behaviour can indicate security threats or policy violations. 

Identity
  1) To review and search for objects in the asset data like hosts, IP addresses, subnets within the organisation along with information about each asset. 

Endpoint
  1) To obtain  insight into malware events including viruses, worms, spyware, attack tools, adware and PUPs (Potentially Unwanted Programs), as well as endpoint protection deployment.
  2) To detect spikes in overall malware activity and ability to track a particular infection.
  3) To identify outbreaks related to a specific type of malware or on a specific system
  4) To tracks the status of the endpoint protection products that have been deployed.
  5) To monitor  the overall health of systems and to identify systems that need updates or modifications to their endpoint protection software.
  6) To obtain overview of the endpoint protection infrastructure that is being administered
  7) To obtain information around reporting of endpoint statistics and that have been gathered by Splunk. System configuration and performance metrics for hosts, such as memory usage, CPU usage, or disk usage.
  8) To validate and ensure the integrity of data by identifying hosts that are not correctly synchronizing their clocks.
  9) To detect filesystem and registry changes. Sudden change in file system and registry without appropriate change management can be indicative of a security incident.
  To identify endpoints that are not being updated. To identify which devices have a specific patch installed - for example, when there is a problem possibly caused by a patch and there is need to determine exactly where that patch is deployed.

Network
  1) Network Protection domain provides insight into the network and network-based devices, including routers, switches, firewalls, and IDS devices.
  2) To aggregates and display all the traffic on the network, including overall volume, specific patterns of traffic, what devices or users are generating traffic, and per-port traffic.
  3) To shows results from the vulnerability scanners on the network. And to identify the most vulnerable host, first time vulnerabilities, long term vulnerabilities, top vulnerabilities
  4) To perform ad-hoc searches of network activity
  5) To identify IDS-related events such as attacks or reconnaissance-related activity.
  6) To track network changes to firewall and other networking devices. This is to troubleshoot device problems around firewalls or other devices go down,  recent configuration change on the device(s).
  7) To obtain a overview of network sessions. Network sessions are used to correlate network activity to a user using session data provided by DHCP or VPN servers.
  8) To review the session logs and identify the user or machine associated with an IP address used during a session.
  To displays the volume network transport and port activity over time, to evaluate if port activity is trending upwards or downwards. Sudden increases in unapproved port activity may indicate a change on the networked devices, such as an infection.

Web
  1) To profile web events
  2) To gather overview and profile the type of content that clients are requesting and how much bandwidth is being used by each client
  3) Ability to troubleshoot potential issues such as bandwidth usage or proxies that are no longer serving content for proxy clients
  4) To identify the sources associated with the highest volume of network traffic. This is useful for identifying sources that are using an excessive amount of network traffic (for example, hosts doing file-sharing), or frequently-requested destinations generating large amounts of network traffic (for example, YouTube or Facebook).
  To identify the destinations associated with the highest volume of network traffic. This is useful for identifying sources that are using an excessive amount of network traffic (for example, hosts doing file-sharing), or frequently-requested destinations generating large amounts of network traffic (for example, YouTube or Facebook).


Thursday, July 28, 2016

Splunk Universal forwarder remote install script linux - Splunk Architecture Lab


  
Recently had Splunk Architecture Lab, one of the requirement is to install the Splunk Universal Forwarders(UF) on two linux servers in an automated manner.  There are more than three version of this script available in Splunk base and Splunk answers.
 
Took one of them and tweaked it to suit the lab needs.
 
High Level Steps
  To download the UF from Splunk base. (The instance supports wget, so ensure to get the latest version of the software.)
  To install the software in a silent manner, but will prompt the user for credentials.
  To copy the deploymentclinet.conf file with the deployment server detail and perform a restart
  Then continue the same to other servers.
 
Supporting Files
 
Forwarderlist.txt - List of universal forwarders with ssh
  sample
  user@ipaddress1
  user@ipaddress2
 
DeploymentClient.conf
  [target-broker:deploymentServer]
  targetUri = deploymentserverip:8089
 
The user must have enough permission to copy the file to a tmp directory and then to the /opt/splunk/bin/script directory.
 
######### UF_install.sh Script ##############
 
#!/bin/sh
 
#### forwarderlist.txt contains the IP address of the forwarder to SSH into
 
HOSTS_FILE="/opt/splunk/bin/scripts/forwarderlist.txt"
 
### Download the latest version of the installer from splunk site
 
 
INSTALL_FILE="splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz"
 
DEPLOY_SERVER="deploymentserverip:8089"
PASSWORD="setpassword"
 
### installation steps
REMOTE_SCRIPT="
cd /opt
sudo $WGET_CMD
sudo tar -xzf $INSTALL_FILE
 
sudo useradd -m -r splunk
sudo chown -R splunk:splunk /opt/splunkforwarder
 
### /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
sudo -u splunk /opt/splunkforwarder/bin/splunk set deploy-poll $DEPLOY_SERVER --accept-license --answer-yes --auto-ports --no-prompt  -auth admin:changeme
sudo -u splunk /opt/splunkforwarder/bin/splunk edit user admin -password $PASSWORD -auth admin:changeme
 
### SCP (copy) the files from Search head into the folder where the user has access to
 
sudo scp -r  /opt/Splunk/bin/scripts/deploymentclient.conf user@$HOSTS_FILE:/home/user/deploymentclient.conf
 
# Change permissions to splunk user
sudo chown -R /home/user/deploymentclient.conf
 
# Then copy the file to appropriate directory
sudo cp -r /home/user/deploymentclient.conf /opt/splunkforwarder/etc/system/local/
 
# once the file in /etc/system/local restart to take effect
sudo -u splunk /opt/splunkforwarder/bin/splunk restart
"
 
### Continue the same for other UF hosts
echo "In 5 seconds, will run the following script on each remote host:"
echo
echo "===================="
echo "$REMOTE_SCRIPT"
echo "===================="
echo
sleep 5
echo "Reading host logins from $HOSTS_FILE"
echo
echo "Starting."
for DST in `cat "$HOSTS_FILE"`; do
  if [ -z "$DST" ]; then
    continue;
  fi
  echo "---------------------------"
  echo "Installing to $DST"
  sudo ssh -t "$DST" "$REMOTE_SCRIPT"
done
echo "---------------------------"
echo "Done"
 
######## end of script ######
Comment below if there is any questions.
 

  
Recently had Splunk Architecture Lab, one of the requirement is to install the Splunk Universal Forwarders(UF) on two linux servers in an automated manner.  There are more than three version of this script available in Splunk base and Splunk answers.

Took one of them and tweaked it to suit the lab needs.

High Level Steps
  To download the UF from Splunk base. (The instance supports wget, so ensure to get the latest version of the software.)
  To install the software in a silent manner, but will prompt the user for credentials.
  To copy the deploymentclinet.conf file with the deployment server detail and perform a restart
  Then continue the same to other servers.

Supporting Files

Forwarderlist.txt - List of universal forwarders with ssh
  sample
  user@ipaddress1
  user@ipaddress2

DeploymentClient.conf
  [target-broker:deploymentServer]
  targetUri = deploymentserverip:8089

The user must have enough permission to copy the file to a tmp directory and then to the /opt/splunk/bin/script directory.

######### UF_install.sh Script ##############

#!/bin/sh

#### forwarderlist.txt contains the IP address of the forwarder to SSH into

HOSTS_FILE="/opt/splunk/bin/scripts/forwarderlist.txt"

### Download the latest version of the installer from splunk site

WGET_CMD="wget -O splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.4.2&product=universalforwarder&filename=splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz&wget=true'"

INSTALL_FILE="splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz"

DEPLOY_SERVER="deploymentserverip:8089"
PASSWORD="setpassword"

### installation steps
REMOTE_SCRIPT="
cd /opt
sudo $WGET_CMD
sudo tar -xzf $INSTALL_FILE

sudo useradd -m -r splunk
sudo chown -R splunk:splunk /opt/splunkforwarder

### /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
sudo -u splunk /opt/splunkforwarder/bin/splunk set deploy-poll $DEPLOY_SERVER --accept-license --answer-yes --auto-ports --no-prompt  -auth admin:changeme
sudo -u splunk /opt/splunkforwarder/bin/splunk edit user admin -password $PASSWORD -auth admin:changeme

### SCP (copy) the files from Search head into the folder where the user has access to

sudo scp -r  /opt/Splunk/bin/scripts/deploymentclient.conf user@$HOSTS_FILE:/home/user/deploymentclient.conf

# Change permissions to splunk user
sudo chown -R /home/user/deploymentclient.conf

# Then copy the file to appropriate directory
sudo cp -r /home/user/deploymentclient.conf /opt/splunkforwarder/etc/system/local/

# once the file in /etc/system/local restart to take effect
sudo -u splunk /opt/splunkforwarder/bin/splunk restart
"

### Continue the same for other UF hosts
echo "In 5 seconds, will run the following script on each remote host:"
echo
echo "===================="
echo "$REMOTE_SCRIPT"
echo "===================="
echo
sleep 5
echo "Reading host logins from $HOSTS_FILE"
echo
echo "Starting."
for DST in `cat "$HOSTS_FILE"`; do
  if [ -z "$DST" ]; then
    continue;
  fi
  echo "---------------------------"
  echo "Installing to $DST"
  sudo ssh -t "$DST" "$REMOTE_SCRIPT"
done
echo "---------------------------"
echo "Done"

######## end of script ######
Comment below if there is any questions.

Tuesday, July 26, 2016

Detecting CRYPMIC RANSOMWARE in Splunk

Two most widespread method of distributing malware are through email attachment (mailicious spam) and Exploit Kits. Email attachment requires users to trigger an action like opening the document, enabling the macro and so on for the malware to activate. EXploit Kits are more behind the scene, it does not require any additional action by the user.





Among the other Crypto-ransomware familes, CRYPMIC RANSOMWARE is more seen to be distributed by Neutrino EK, which have been recently reported to be delivering other ransomware families such as CryptoWall, TeslaCrypt, CryptoLocker and Cerber.

    BACKGROUND ON CRYPMIC RANSOMWARE:

    2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated   [The date I first noticed this new branch of ransomware.]
    2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."
    2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

This post shows the ways to identify and detect the malicious traffic and associated files files within the logs. The sample log file is obtained from malware-traffic-analysis.net. My lab set-up for this review is as follows. I ran suricata against the file and set splunk to monitor the output (simple file monitor)




File Name - "2016-07-28 - PSEUDO-DARKLEECH NEUTRINO EK SENDS CRYPMIC RANSOMWARE"

Malicious Files and the sites that downloaded the payload







Splunk Searches


Timeline of events
index="network" sourcetype="pcap_json" source="*$source$*"   | timechart count by $split$ limit=10 useother=0 usenull=0

HTTP Traffic
index="network" sourcetype="pcap_json" source="*" event_type=http | iplocation src_ip | table timestamp pcap_cnt src_ip Country dest_ip dest_port http.http_content_type proto http.hostname http.url

Search to identify the http_method
index=suricata OR index=network sourcetype=pcap_json source!="*stats.log"  "http.http_content_type"="application*" | table _time dest_ip, pcap_cnt, http.http_content_type, http.hostname, http.url

Files Downloaded
index="network" sourcetype="pcap_json" source="*$source$*" event_type=fileinfo | iplocation src_ip | table timestamp pcap_cnt event_type src_ip Country dest_ip dest_port  fileinfo.filename http.hostname http.url  | sort timestamp





 
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
<form script="tabs.js" stylesheet="tabs.css,dark.css">
  <label>Suricata IDS Dashboard</label>
  <description>Splunk Dashboard for Suricata IDS Events</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="timestamp" searchWhenChanged="true">
      <label>Time picker</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="split" searchWhenChanged="true">
      <label>Split by:</label>
      <choice value="alert.signature">alert.signature</choice>
      <choice value="dest_port">dest_port</choice>
      <choice value="dest_ip">dest_ip</choice>
      <choice value="dns.rrtype">dns.rrtype</choice>
      <choice value="event_type">event_type</choice>
      <choice value="host">host</choice>
      <choice value="http.hostname">http.hostname</choice>
      <choice value="http.http_refer">http.http_refer</choice>
      <choice value="http.redirect">http.redirect</choice>
      <choice value="http.status">http.status</choice>
      <choice value="http.url">http.url</choice>
      <choice value="src_ip">src_ip</choice>
      <choice value="tls.issuerdn">tls.issuerdn</choice>
      <choice value="tls.subject">tls.subject</choice>
      <choice value="tls.version">tls.version</choice>
      <default>http.hostname</default>
    </input>
    <input type="text" token="source" searchWhenChanged="true">
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart id="item_1">
        <title>Timeline of Event</title>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*"   | timechart count by $split$ limit=10 useother=0 usenull=0</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
      </chart>
    </panel>
  </row>
  <row id="tabs">
    <panel>
      <html>
        <ul id="tabs" class="nav nav-tabs">
          <li class="active">
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tab_http" data-token="control_token_1">HTTP_Traffic</a>
          </li>
          <li>
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tabs_ids" data-token="control_token_2">IDS_Alerts</a>
          </li>
          <li>
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tabs_dns" data-token="control_token_3">DNS_Traffic</a>
          </li>
          <li>
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tabs_tls" data-token="control_token_4">TLS_Traffic</a>
          </li>
          <li>
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tabs_files" data-token="control_token_5">Files_Downloaded</a>
          </li>
          
        </ul>
      </html>
    </panel>
  </row>
  <row id="tabs_ids">
    <panel>
      <title>IDS_Alerts</title>
      <table>
        <search>
          <query>index=suricata OR index=network sourcetype=pcap_json source!="*stats.log"  "http.http_content_type"="application*" | table _time dest_ip, pcap_cnt, http.http_content_type, http.hostname, http.url</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">20</option>
        <drilldown>
          <condition field="alert.signature">
            <set token="alert.signature">$row.alert.signature$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row id="tabs_dns">
    <panel>
      <title>DNS_Traffic</title>
      <table>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*"  event_type=dns| iplocation dns.rdata  | table  timestamp src_ip dest_ip dest_port dns.rdata Country dns.rrname dns.rrtype dns.type</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
      </table>
    </panel>
  </row>
  <row id="tabs_tls">
    <panel>
      <title>TLS_Traffic</title>
      <table>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*" event_type=tls| table timestamp pcap_cnt event_type src_ip dest_ip dest_port tls.issuerdn tls.subject</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row id="tabs_files">
    <panel>
      <title>Files_Downloaded</title>
      <table>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*" event_type=fileinfo | iplocation src_ip | table timestamp pcap_cnt event_type src_ip Country dest_ip dest_port  fileinfo.filename http.hostname http.url  | sort timestamp</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>HTTP_Traffic</title>
      <table>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*" event_type=http | iplocation src_ip | table timestamp pcap_cnt src_ip Country dest_ip dest_port http.http_content_type proto http.hostname http.url</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <event id="detail" depends="$alert.signature$">
        <title>Event Details for signature - $alert.signature$</title>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*" alert.signature!="\*suricata\*"       alert.signature="$alert.signature$"</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="count">10</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>
 
 
<form script="tabs.js" stylesheet="tabs.css,dark.css">
  <label>Suricata IDS Dashboard</label>
  <description>Splunk Dashboard for Suricata IDS Events</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="timestamp" searchWhenChanged="true">
      <label>Time picker</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="split" searchWhenChanged="true">
      <label>Split by:</label>
      <choice value="alert.signature">alert.signature</choice>
      <choice value="dest_port">dest_port</choice>
      <choice value="dest_ip">dest_ip</choice>
      <choice value="dns.rrtype">dns.rrtype</choice>
      <choice value="event_type">event_type</choice>
      <choice value="host">host</choice>
      <choice value="http.hostname">http.hostname</choice>
      <choice value="http.http_refer">http.http_refer</choice>
      <choice value="http.redirect">http.redirect</choice>
      <choice value="http.status">http.status</choice>
      <choice value="http.url">http.url</choice>
      <choice value="src_ip">src_ip</choice>
      <choice value="tls.issuerdn">tls.issuerdn</choice>
      <choice value="tls.subject">tls.subject</choice>
      <choice value="tls.version">tls.version</choice>
      <default>http.hostname</default>
    </input>
    <input type="text" token="source" searchWhenChanged="true">
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart id="item_1">
        <title>Timeline of Event</title>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*"   | timechart count by $split$ limit=10 useother=0 usenull=0</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
      </chart>
    </panel>
  </row>
  <row id="tabs">
    <panel>
      <html>
        <ul id="tabs" class="nav nav-tabs">
          <li class="active">
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tab_http" data-token="control_token_1">HTTP_Traffic</a>
          </li>
          <li>
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tabs_ids" data-token="control_token_2">IDS_Alerts</a>
          </li>
          <li>
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tabs_dns" data-token="control_token_3">DNS_Traffic</a>
          </li>
          <li>
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tabs_tls" data-token="control_token_4">TLS_Traffic</a>
          </li>
          <li>
            <a href="#" class="toggle-tab" data-toggle="tab" data-elements="tabs_files" data-token="control_token_5">Files_Downloaded</a>
          </li>
         
        </ul>
      </html>
    </panel>
  </row>
  <row id="tabs_ids">
    <panel>
      <title>IDS_Alerts</title>
      <table>
        <search>
          <query>index=suricata OR index=network sourcetype=pcap_json source!="*stats.log"  "http.http_content_type"="application*" | table _time dest_ip, pcap_cnt, http.http_content_type, http.hostname, http.url</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">20</option>
        <drilldown>
          <condition field="alert.signature">
            <set token="alert.signature">$row.alert.signature$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row id="tabs_dns">
    <panel>
      <title>DNS_Traffic</title>
      <table>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*"  event_type=dns| iplocation dns.rdata  | table  timestamp src_ip dest_ip dest_port dns.rdata Country dns.rrname dns.rrtype dns.type</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
      </table>
    </panel>
  </row>
  <row id="tabs_tls">
    <panel>
      <title>TLS_Traffic</title>
      <table>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*" event_type=tls| table timestamp pcap_cnt event_type src_ip dest_ip dest_port tls.issuerdn tls.subject</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row id="tabs_files">
    <panel>
      <title>Files_Downloaded</title>
      <table>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*" event_type=fileinfo | iplocation src_ip | table timestamp pcap_cnt event_type src_ip Country dest_ip dest_port  fileinfo.filename http.hostname http.url  | sort timestamp</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>HTTP_Traffic</title>
      <table>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*" event_type=http | iplocation src_ip | table timestamp pcap_cnt src_ip Country dest_ip dest_port http.http_content_type proto http.hostname http.url</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <event id="detail" depends="$alert.signature$">
        <title>Event Details for signature - $alert.signature$</title>
        <search>
          <query>index="network" sourcetype="pcap_json" source="*$source$*" alert.signature!="\*suricata\*"       alert.signature="$alert.signature$"</query>
          <earliest>$timestamp.earliest$</earliest>
          <latest>$timestamp.latest$</latest>
        </search>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="count">10</option>
        <fields>["host","source","sourcetype"]</fields>
      </event>
    </panel>
  </row>
</form>