Splunk: Creating eventtypes from csv to name VLANS

Everyone got the VLAN name lookup working from the last post? You did.. ? Really someone is listening?

Next lets use the information in the internal_networks.csv file to create event types and really change the way we search in splunk.

While researching this topic, I learned that you CAN NOT do subsearches in eventtypes.conf
I was hoping to do something like (dont try it it doesnt work)

eventtypes.conf
[vlan:Guest] 
search src_ip=172.30.21.0/24 |lookup vlan network AS src_ip OUTPUT name AS Src_VLAN

So I had to find an easy way to parse our csv. I love trying to do all my heavy lifting on one line in linux. So I challenged myself.. can it be done?

As a reminder here is our internal_networks.csv  I have cleaned it up to conform with the common information model the best I could.  No spaces in the names and no capital letters.

network,name
"192.168.1.0/24","corporate"
"192.168.2.0/24","voice"
"192.168.3.0/24","nosc_tac"
"192.168.4.0/24","servers"
"192.168.5.0/24","engineering"
"192.168.6.0/24","security"
"192.168.7.0/24","unassigned"
"192.168.8.0/24","it_engineering"
"192.168.9.0/24","human_resources"
"192.168.10.0/24","call_manager"
"192.168.11.0/24","wireless"
"192.168.12.0/24","executive_office"
"192.168.13.0/24","unassigned"
"192.168.14.0/24","voip"
"192.168.15.0/24","finance"
"192.168.16.0/24","marketing"
"192.168.17.0/24","pm_users"
"192.168.18.0/24","sales"
"192.168.19.0/24","consultants"
"192.168.20.0/24","procurement"
"192.168.21.0/24","guest"
"192.168.255.0/24","255"

..and with a single beautiful line you can create a new eventtypes.conf with our internal_networks.csv.

sudo awk -F"\""  'NR!=1{ print "[vlan:"$4"]" "\n", "search = src_ip="$2"\n"}' /opt/splunk/etc/apps/search/lookups/internal_networks.csv >> /opt/splunk/etc/system/local/eventtypes.conf

You might have to change permissions to write (append to /opt/splunk/etc/apps/default/local/eventtypes.conf)

and now look what we have..  well defined event types! Now you can stop guessing what 192.168.3.45 is.. It is the nosc_tac vlan!

Additionally you now have the ability to search via vlan name
eventtype=vlan:sales or even try eventtype=vlan:* | top eventtype

Remember: If your internal_networks.csv changes you will have to regenerate your eventtypes.conf with the magical awk line from above.

Comments?

Ross Warren
Cyber Security, CISSP, GCIH, GSEC 

SPLUNK: Finding VLAN to VLAN traffic

We are most often concerned with traffic flowing out of the network or into the network. This is where the bad guys start from and most often show their intentions.. But what about the embedded bad guy that is already in your network..

**For what ever reason** Your IDS missed it, or they were already in and then you deployed your IDS...

I am talking about internal VLAN traffic, from the Marketing VLAN to the finance VLAN.. that probably shouldn't be happening and we need to watch for it.

Assumption: Your internal network numbering is based off of 192.168.0.0/16

So a simple Splunk search would reveal traffic being sourced from internal PC/Laptop hosts to internal PC/Laptop hosts

src_ip=192.168.0.0/16 AND dest_ip=192.168.0.0/16

but this ends up with a lot of events that are hard to decipher what is going where and we don't have any "nice" names to determine if an infected Marketing PC is trying to get to the Finance VLAN.

In comes splunk lookups! Here is the reference docat splunk: Splunk Lookup Command but I will break down the steps here.

1) First create the csv file where your VLAN to Name translation is:

sudo vi /opt/splunk/etc/apps/search/lookups/internal_networks.csv

network,name
"192.168.1.0/24","Corporate"
"192.168.2.0/24","Voice"
"192.168.3.0/24","Operations"
"192.168.4.0/24","Server VLAN"
"192.168.5.0/24","Engineering"
"192.168.6.0/24","Security"
"192.168.7.0/24","Unassigned"
"192.168.8.0/24","IT Engineering"
"192.168.9.0/24","Human Resources"
"192.168.10.0/24","Unassigned"
"192.168.11.0/24","Wireless"
"192.168.12.0/24","Executive Office"
"192.168.13.0/24","Unassigned"
"192.168.14.0/24","VoIP VLAN"
"192.168.15.0/24","Finance"
"192.168.16.0/24","Marketing"
"192.168.17.0/24","PM Users"
"192.168.18.0/24","Sales"
"192.168.19.0/24","Consultants"
"192.168.20.0/24","Procurement"
"192.168.21.0/24","Guest"

2) Then create the lookup:  Additional documentation at Splunk Docs - Configure field lookups

sudo vi /opt/splunk/etc/apps/search/local/props.conf
[*]
LOOKUP-vlan = vlan network OUTPUT name


3) Test with a simple search:

(src_ip=192.168.0.0/16 AND dest_ip=192.168.0.0/16)| lookup vlan network AS src_ip OUTPUT name AS Src_VLAN 

We can now see a new field SRC_VLAN !

4) Finalize the search by removing the "Server VLAN (192.168.4.0/24)" and any broadcasts (255).

(src_ip=192.168.0/16 AND dest_ip=192.168.0.0/16) AND src_ip!=192.168.4.0/24 AND dest_ip!=192.168.4.0/24 NOT 255 
| lookup vlan network AS src_ip OUTPUT name AS Src_VLAN 
| lookup vlan network AS dest_ip OUTPUT name AS Dest_VLAN 
| where Src_VLAN != Dest_VLAN |chart count by Src_VLAN, Dest_VLAN

So now we know what VLANs are making connections to each other.
.. but what is normal? It is up to you to decide... Should the Finance VLAN be making connections to the "Corporate VLAN"? and more importantly I should talk to IT about a better description than "Corporate VLAN"...

Next post.. Using this lookup we created to name the VLANs on the fly in any search we do.

Ross Warren
Cyber Security, CISSP, GCIH, GSEC 

Why Orange Hat Security ?

A few folks have asked why "Orange Hat Security". There were a few personal reasons to choose this odd sounding name, but it felt inspired.

"Chloe"

1. The weekend before creating this blog, I had just sold my 1974 Super Beetle and "Chloe" was orange. She was in the family for over 16 years.. It was sad for everyone.
2. I passed my CISSP in January and had just received my official CISSP # and with the hours of studying to pass the test..  I wouldn't soon forget about about the "Orange Book".
3. A slight reference to the categorization of "white hat" and "black hat" security "professionals. Which side do you choose?