Tuesday, May 21, 2013

SPLUNK: Finding VLAN to VLAN traffic

We are most often concerned with traffic flowing out of the network or into the network. This is where the bad guys start from and most often show their intentions.. But what about the embedded bad guy that is already in your network..

**For what ever reason** Your IDS missed it, or they were already in and then you deployed your IDS...

I am talking about internal VLAN traffic, from the Marketing VLAN to the finance VLAN.. that probably shouldn't be happening and we need to watch for it.

Assumption: Your internal network numbering is based off of 192.168.0.0/16

So a simple Splunk search would reveal traffic being sourced from internal PC/Laptop hosts to internal PC/Laptop hosts
src_ip=192.168.0.0/16 AND dest_ip=192.168.0.0/16
but this ends up with a lot of events that are hard to decipher what is going where and we don't have any "nice" names to determine if an infected Marketing PC is trying to get to the Finance VLAN.

 In comes splunk lookups! Here is the reference docat splunk: Splunk Lookup Command but I will break down the steps here.

1) First create the csv file where your VLAN to Name translation is:
sudo vi /opt/splunk/etc/apps/search/lookups/internal_networks.csv
network,name
"192.168.1.0/24","Corporate"
"192.168.2.0/24","Voice"
"192.168.3.0/24","Operations"
"192.168.4.0/24","Server VLAN"
"192.168.5.0/24","Engineering"
"192.168.6.0/24","Security"
"192.168.7.0/24","Unassigned"
"192.168.8.0/24","IT Engineering"
"192.168.9.0/24","Human Resources"
"192.168.10.0/24","Unassigned"
"192.168.11.0/24","Wireless"
"192.168.12.0/24","Executive Office"
"192.168.13.0/24","Unassigned"
"192.168.14.0/24","VoIP VLAN"
"192.168.15.0/24","Finance"
"192.168.16.0/24","Marketing"
"192.168.17.0/24","PM Users"
"192.168.18.0/24","Sales"
"192.168.19.0/24","Consultants"
"192.168.20.0/24","Procurement"
"192.168.21.0/24","Guest"

 2) Then create the lookup:  Additional documentation at Splunk Docs - Configure field lookups

sudo vi /opt/splunk/etc/apps/search/local/props.conf
[*]
LOOKUP-vlan = vlan network OUTPUT name
3) Test with a simple search:

 (src_ip=192.168.0.0/16 AND dest_ip=192.168.0.0/16)| lookup vlan network AS src_ip OUTPUT name AS Src_VLAN 

 We can now see a new field SRC_VLAN !

 4) Finalize the search by removing the "Server VLAN (192.168.4.0/24)" and any broadcasts (255).

 (src_ip=192.168.0/16 AND dest_ip=192.168.0.0/16) AND src_ip!=192.168.4.0/24 AND dest_ip!=192.168.4.0/24 NOT 255 
| lookup vlan network AS src_ip OUTPUT name AS Src_VLAN 
| lookup vlan network AS dest_ip OUTPUT name AS Dest_VLAN 
| where Src_VLAN != Dest_VLAN |chart count by Src_VLAN, Dest_VLAN










So now we know what VLANs are making connections to each other.
.. but what is normal? It is up to you to decide... Should the Finance VLAN be making connections to the "Corporate VLAN"? and more importantly I should talk to IT about a better description than "Corporate VLAN"...

Next post.. Using this lookup we created to name the VLANs on the fly in any search we do.

Ross Warren
Cyber Security, CISSP, GCIH, GSEC 


Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)