Date post: | 10-Jan-2016 |
Category: |
Documents |
Upload: | arunkumar-kumaresan |
View: | 231 times |
Download: | 0 times |
of 24
SPP, Lsungen im Team Seite 1/24
How to Build a simple App for Splunk
Version: 1.2 Date: 25.03.2010
SPP, Lsungen im Team Seite 2/24
Project How to Build a simple App for Splunk
Project Leader Alexander Sznyi
Responsible Alexander Sznyi
Created 25.03.2010
Last Change
Revision
Reference
Change log
No. Date Version Author Comment
1 25.03.2010 1.0 Sznyi Create Document
SPP, Lsungen im Team Seite 3/24
Table of Contents 1 Create a new APP (Sample Snort App) ...................................................................................................................................... 4 2 Create a Index for your App (Sample Snort App) .................................................................................................................. 5 3 Install Snort on your System ......................................................................................................................................................... 7 4 Create a Data Input for your App (Sample Snort App) ........................................................................................................ 7 5 Test your new APP with a search (Sample Snort App) ........................................................................................................ 8 6 Create 3 new important Fields for your App (Sample Snort App) ................................................................................... 9 7 Create 3 new searches for your new App ............................................................................................................................. 14 8 Generate a Dashboard for your new APP ............................................................................................................................. 20
- Launch to your new App and press the button Actions and select Create new dashboard... ....... 20
SPP, Lsungen im Team Seite 4/24
1 Create a new APP (Sample Snort App)
- Login to Splunk
- Go to the Manager -> Apps
- Click the button Create app
- Fill in (see Picture)
- If you are finished press the Save Button
SPP, Lsungen im Team Seite 5/24
2 Create a Index for your App (Sample Snort App)
- Launch to your new APP -
- go from your App direct to the Manager-> Indexes (this is important!!! , that your new index will match with your App)
SPP, Lsungen im Team Seite 6/24
- Click the button New
- Fill in (see Picture)
- If you are finished press the Save Button - Reboot Splunk (Manager->Server controls>Restart Splunk)
SPP, Lsungen im Team Seite 7/24
3 Install Snort on your System - In my example apt-get install snort (Ubuntu installation)
4 Create a Data Input for your App (Sample Snort App) - Launch to your new APP - go from your App direct to the Manager-> Data inputs (this is important!!! , that your new index will
match with your App) - in my example choose Files & Directories - Click the button New
- Fill in (see Picture) and then go to your new APP
SPP, Lsungen im Team Seite 8/24
5 Test your new APP with a search (Sample Snort App) - Tip in in the search windows
index=snort * then press Enter
SPP, Lsungen im Team Seite 9/24
6 Create 3 new important Fields for your App (Sample Snort App) - Go to your new App - Tip in in the search windows- index=snort * then press Enter
- Press the Button right from your messages (see Picture)
- Chose Extract Fields (a new windows appears)
SPP, Lsungen im Team Seite 10/24
- Now you are in the Interactive Field Extractor Window
- First we want to extract following field (marked in yellow)
- [**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
SPP, Lsungen im Team Seite 11/24
- First you copy and paste all messages (see yellow marked) into the Example values Box and click
Generate (see Picture)
- Know you have generate a regex for your Field (?im)^(?:[^ ]* ){2}(?P.*?)\s+\[ , but you can see in the picture that this regex also match to other text in your log.
SPP, Lsungen im Team Seite 12/24
- So the correct regex is for your Field is (?im)^[^ ]* \[\d+:\d+:\d+]\s+(?P.*?)\s+\[, you can know see in the picture that only your messages are marked.
SPP, Lsungen im Team Seite 13/24
- Save your new Field, press the Save Button and save the Filed as snort_message (see picture).
- Repeat this steps with the following new Fields,
o snort_classification
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
Regex = (?i)\[Classification: (?P[^\]]*)(?=\])
o snort_priority
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
Regex = (?i)\[Priority:\s+(?P[^\]]*)(?=\])
SPP, Lsungen im Team Seite 14/24
7 Create 3 new searches for your new App - First search is index="snort" snort_message="*" snort_classification="*" snort_priority="*"
src_ip="*" src_port="*" dest_ip="*" dest_port="*" (see Picture)
SPP, Lsungen im Team Seite 15/24
- Save the search, go to the Actions button and press save search... (see Picture)
SPP, Lsungen im Team Seite 16/24
- A new windows appears, name the search Snort Alerts Last 4 Hours (see Picture) and Save it.
SPP, Lsungen im Team Seite 17/24
- Secound search is a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*" . Go to the left sight from the windows and press by the fields the right from snort_messages the button. (see picture)
SPP, Lsungen im Team Seite 18/24
- Know choose Report on : top values overall - Call your Chart Title: Snort Top messages overall
- Press the button Save and chose Save Report...
- Name the Save Report Snort Top messages overall and save it.
SPP, Lsungen im Team Seite 19/24
- Third search is also a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*" . Go to the left sight from the windows and press by the fields the right from snort_priority the button and chose top values by time save your report as Snort Prioritys in the last 24 Hours (see the picture how its looks like)
SPP, Lsungen im Team Seite 20/24
8 Generate a Dashboard for your new APP
- Launch to your new App and press the button Actions and select Create new dashboard...
- Name the dashboard SNORT (see picture) and press Create
SPP, Lsungen im Team Seite 21/24
- Know press Edit the dashboard
SPP, Lsungen im Team Seite 22/24
- Build your first panel and name it Snort Prioritys in the last 24 Hours (see Picture) and press Add panel
- Add the next panel Snort Top messages overall (see Picture).
SPP, Lsungen im Team Seite 23/24
- Add the next last panel Snort Alerts Last 4 Hours (see Picture) and close.
SPP, Lsungen im Team Seite 24/24
- Know you see your new dashboard (see picture)
LAST POINT, to not forget to give other people access to your new App and index, searches, reports and dashboards.