How to Build a simple App for Splunk

Size: px

Start display at page:

Download "How to Build a simple App for Splunk"

Mae Felicity Bates
8 years ago
Views:

1 How to Build a simple App for Splunk Version: 1.2 Date: SPP, Lösungen im Team Seite 1/24

2 Project How to Build a simple App for Splunk Project Leader Alexander Szönyi Responsible Alexander Szönyi Created Last Change Revision Reference Change log No. Date Version Author Comment Szönyi Create Document SPP, Lösungen im Team Seite 2/24

2010 Last Change Revision Reference Change log No.

3 Table of Contents 1 Create a new APP (Sample Snort App) Create a Index for your App (Sample Snort App) Install Snort on your System Create a Data Input for your App (Sample Snort App) Test your new APP with a search (Sample Snort App) Create 3 new important Fields for your App (Sample Snort App) Create 3 new searches for your new App Generate a Dashboard for your new APP Launch to your new App and press the button Actions and select Create new dashboard SPP, Lösungen im Team Seite 3/24

.. 7 5 Test your new APP with a search (Sample Snort App)... 8 6 Create 3 new important Fields for your App (Sample Snort App).

4 1 Create a new APP (Sample Snort App) - Login to Splunk - Go to the Manager -> Apps - Click the button Create app - Fill in (see Picture) - If you are finished press the Save Button SPP, Lösungen im Team Seite 4/24

5 2 Create a Index for your App (Sample Snort App) - Launch to your new APP - - go from your App direct to the Manager-> Indexes (this is important!!!, that your new index will match with your App) SPP, Lösungen im Team Seite 5/24

6 - Click the button New - Fill in (see Picture) - If you are finished press the Save Button - Reboot Splunk (Manager->Server controls>restart Splunk) SPP, Lösungen im Team Seite 6/24

3 Install Snort on your System - In my example apt-get install snort (Ubuntu installation) 4 Create a Data Input for your App (Sample Snort App) - Launch to your new APP - go from your App direct to

7 3 Install Snort on your System - In my example apt-get install snort (Ubuntu installation) 4 Create a Data Input for your App (Sample Snort App) - Launch to your new APP - go from your App direct to the Manager-> Data inputs (this is important!!!, that your new index will match with your App) - in my example choose Files & Directories - Click the button New - Fill in (see Picture) and then go to your new APP SPP, Lösungen im Team Seite 7/24

8 5 Test your new APP with a search (Sample Snort App) - Tip in in the search windows index= snort * then press Enter SPP, Lösungen im Team Seite 8/24

9 6 Create 3 new important Fields for your App (Sample Snort App) - Go to your new App - Tip in in the search windows- index= snort * then press Enter - Press the Button right from your messages (see Picture) - Chose Extract Fields (a new windows appears) SPP, Lösungen im Team Seite 9/24

Enter - Press the Button right from your messages (see Picture) - Chose

- Now you are in the Interactive Field Extractor Window - First we want to extract following field (marked in yellow) - [**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP

10 - Now you are in the Interactive Field Extractor Window - First we want to extract following field (marked in yellow) - [**] [1: :2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11: : > :8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20 SPP, Lösungen im Team Seite 10/24

Denial of Service] [Priority: 2] 03/25-10

11 - First you copy and paste all messages (see yellow marked) into the Example values Box and click Generate (see Picture) - Know you have generate a regex for your Field (?im)^(?:[^ ]* ){2}(?P<FIELDNAME>.*?)\s+\[, but you can see in the picture that this regex also match to other text in your log. SPP, Lösungen im Team Seite 11/24

$\[\d+:\d+:\d+]\s+(?p<fieldname>.*?$

12 - So the correct regex is for your Field is (?im)^[^ ]* \[\d+:\d+:\d+]\s+(?p<fieldname>.*?)\s+\[, you can know see in the picture that only your messages are marked. SPP, Lösungen im Team Seite 12/24

$\[\d+:\d+:\d+]\s+(?p<fieldname>.*?$

13 - Save your new Field, press the Save Button and save the Filed as snort_message (see picture). - Repeat this steps with the following new Fields, o o snort_classification [**] [1: :2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11: : > :8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20 Regex = (?i)\[classification: (?P<FIELDNAME>[^\]]*)(?=\]) snort_priority [**] [1: :2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11: : > :8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20 Regex = (?i)\[priority:\s+(?p<fieldname>[^\]]*)(?=\]) SPP, Lösungen im Team Seite 13/24

$i)\[classification: (?P<FIELDNAME>[^\]]*)(?$

14 7 Create 3 new searches for your new App - First search is index="snort" snort_message="*" snort_classification="*" snort_priority="*" src_ip="*" src_port="*" dest_ip="*" dest_port="*" (see Picture) SPP, Lösungen im Team Seite 14/24

15 - Save the search, go to the Actions button and press save search... (see Picture) SPP, Lösungen im Team Seite 15/24

16 - A new windows appears, name the search Snort Alerts Last 4 Hours (see Picture) and Save it. SPP, Lösungen im Team Seite 16/24

17 - Secound search is a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*". Go to the left sight from the windows and press by the fields the right from snort_messages the button. (see picture) SPP, Lösungen im Team Seite 17/24

Go to the left sight from the windows and press by the fields the

18 - Know choose Report on : top values overall - Call your Chart Title: Snort Top messages overall - Press the button Save and chose Save Report... - Name the Save Report Snort Top messages overall and save it. SPP, Lösungen im Team Seite 18/24

19 - Third search is also a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*". Go to the left sight from the windows and press by the fields the right from snort_priority the button and chose top values by time save your report as Snort Prioritys in the last 24 Hours (see the picture how its looks like) SPP, Lösungen im Team Seite 19/24

Go to the left sight from the windows and press by the fields the right from snort_priority the

20 8 Generate a Dashboard for your new APP - Launch to your new App and press the button Actions and select Create new dashboard... - Name the dashboard SNORT (see picture) and press Create SPP, Lösungen im Team Seite 20/24

21 - Know press Edit the dashboard SPP, Lösungen im Team Seite 21/24

22 - Build your first panel and name it Snort Prioritys in the last 24 Hours (see Picture) and press Add panel - Add the next panel Snort Top messages overall (see Picture). SPP, Lösungen im Team Seite 22/24

23 - Add the next last panel Snort Alerts Last 4 Hours (see Picture) and close. SPP, Lösungen im Team Seite 23/24

24 - Know you see your new dashboard (see picture) LAST POINT, to not forget to give other people access to your new App and index, searches, reports and dashboards. SPP, Lösungen im Team Seite 24/24

Exercise 7 Network Forensics

Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will: