SplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Retail loss prevention report. Being able to change the questions.
  • If you embed in a form, you have to put the ip in escaped quotes. Something to do with the parsing process of the view to search macro.
  • Note the ezproxy index wildcard naming scheme.Had Edge case of sessions open for extended periods. Still splunk made it easy to identify those.
  • Watch the 2600 magazine for the how to.
  • Need to find and kill the private ip block in the google maps appWe easily can take our other data such as Nessus results, etc against the map or organizational ownership
  • Also flag the “owner” of the UAB IP; very handy in seeing scans, logins across domains of responsibility
  • #ALL INDEXERS[serverClass:all_indexer]filterType=blacklistblacklist.0=*whitelist.0=x.x.x.x
  • SplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham

    1. 1. Copyright © 2012 Splunk, Inc.George Starcher,University of Alabama atBirmingham
    2. 2. About UABEstablished in 196917,999 studentsPeak 150 GB log data/day 2
    3. 3. About the SpeakerGeorge Starcher, Data Security CoordinatorWas with Cinram for 14 years and discovered Splunk there– Splunk fit my philosophy from my retail loss prevention days“My job exists at UAB because of Splunk”Log all the things.– RaspberryPi + Splunk Storm = Optimal Laundry Time– http://www.georgestarcher.com/?p=398 3
    4. 4. University of Alabama at BirminghamProblem• No solid log collection platform• Reduce Intrusion Detection Time• IP to User attributionResults• Search functionality allows for quick and easy resolution• Address security risks with alerts• Resolving DMCA compliance issues easier 4
    5. 5. Splunk for Compliance 5
    6. 6. Battling Copyright Infringement with Splunk Identify specific users illegally sharing files – DMCA Complaint provides IP and time – Issue is connecting person’s user ID, IP, and Mac address Went from taking several days to minutes for resolution 6
    7. 7. Search Macrowifiuser-ip(1) sourcetype="dhcp-syslog" OR sourcetype="aruba- syslog" OR sourcetype="bradford-syslog" NOT DBUG [search sourcetype="dhcp-syslog" OR sourcetype="aruba-syslog" OR sourcetype="bradford- syslog" $ipaddress$ | dedup mac_address | eval mac_address=lower(mac_address) | fields mac_address] | eval mac_address=lower(mac_address) | search $ipaddress$ | transaction mac_address startswith="Authentication Successful" | where duration >0 | eval starttime=_time | eval endtime=_time+duration | eval end_time=strftime(endtime, "%m/%d/%y %I:%M:%S %p") | table _time, end_time, duration, blazer_id, src_ip, mac_address 7
    8. 8. Splunk for Security 8
    9. 9. Identifying Compromised User CredentialsIdentify compromised user credentials through VPN and reverse proxy logs– ID logging in from China to SSL VPN using Google Translate as a proxyReduce impact of attacks by daily review– IPs from non-US sources– Anything in the IP range for Google Translate 9
    10. 10. 10
    11. 11. 11
    12. 12. Saved Searchessourcetype=vpn-syslog | transaction startswith="Authentication Successful"endswith="Disconnected" keepevicted=true blazer_id | eval ip=src_ip | lookup dnsLookup ip| geoip src_ip | search src_ip_country_code=* NOT src_ip_country_code=US OR(src_ip="" OR src_ip="" OR src_ip="" ORsrc_ip="")| table _time, blazer_id, uab_src_ip, src_ip, hostname,src_ip_country_nameindex="app_ezproxy*" NOT sourcetype=ezprozy_messages NOT domain=*ebsco* NOTdomain=*uab.edu | geoip src_ip | search NOT src_ip_country_code="US" | evalMB=(bytes/1024/1024) | transaction session_id | stats sum(MB) AS totalMB by user,src_ip_country_name | eval MB=round(totalMB,0) | table user, src_ip_country_name, MB 12
    13. 13. Brand Monitoring – Google HackingGoogle Hacking– Python script taking known Google hacking search strings. Uses the Google API– Run saved searches against Google for our domain and take the results into Splunk 13
    14. 14. Location, location…locationGoogle maps App– Hacked the app by showing specific buildings by longitude and latitude– Show sources by tripped IPS rule 14
    15. 15. 15
    16. 16. Location, location…locationFun with wifi logs: regex building code, lookup table to details Feb 26 23:59:49 x.x.x.x stm[537]: <501093> <NOTI> |AP 341WWAP1S04@x.x.x.x stm| Auth success: 8c:a9:82:00:00:00: AP x.x.x.x-00:0b:86:00:00:00- 341WWAP1S04 16
    17. 17. 17
    18. 18. Security Other Splunk Uses• Until we get the Enterprise Security Application in place made our own dashboards • Security Daily Events [ SSH outbound, IDS/IPS Events, SSH/RDP In] • Linux Log Review [Interfaces to Promiscuous Mode, Root Activity, User Activity, Disk/File Errors, SUDO activity and SU activity] • Rolling Hour alerts on Domain Account across multiple workstations 18
    19. 19. AHA!The ability to correlate the log typesThe ability to keep improving parsing over timeThe metadata about the dataTransaction command is really funBeing able to pull reports for upper level management inminutes vs. taking hours to produce a single monthlyreport. Especially with the attribution to location orsystem owner. 19
    20. 20. Deployment GotchasA good inventoryMaking a weekly progress of log collection completionThe system admins have to ensure logging configuration– Syslog vs local retention when moving to Splunk forwardersHosts behind NATGood index planning for delegation of accessUnderstand white/blacklist behavior in deployment server; Don’t maketypos in serverclass.conf 20
    21. 21. What is NextEnterprise Security ApplicationIndexer ReplicationNeed to clean up my ownenhancements into appsData RetentionFISMA/PCI 21
    22. 22. Thank You!