{"id":1084,"date":"2014-08-10T11:44:49","date_gmt":"2014-08-10T16:44:49","guid":{"rendered":"http:\/\/www.nathanhunstad.com\/blog\/?p=1084"},"modified":"2014-08-10T11:47:17","modified_gmt":"2014-08-10T16:47:17","slug":"splunk-reporting-mapping-brute-force-attempts","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2014\/08\/splunk-reporting-mapping-brute-force-attempts\/","title":{"rendered":"Splunk Reporting: Mapping Brute Force Attempts"},"content":{"rendered":"

As part of my home network setup<\/a>, I talked a bit about how I set up Splunk and used it for metrics on firewall performance. Splunk is an incredibly powerful tool and can be used for much, much more than that. This weekend I pretty easily set up a cool new dashboard to monitor brute-force attempts against my website using Splunk. Below is what I did.<\/p>\n

<\/p>\n

What I was most interested in was monitoring brute force attempts against my main website (http:\/\/www.nathanhunstad.com<\/a>), which is built on Joomla. Joomla records authentication errors in an errors.php file like so:<\/p>\n

2014-07-22 11:26:50 INFO 176.102.38.74 Joomla FAILURE: Username and password do not match or you do not have an account yet.<\/span><\/p>\n

As you can see, I have date, time, notification level (INFO), client IP, and the fact that the login was a failure. From here, it\u2019s easy to have Splunk report on attacks.<\/p>\n

The first step is to get the data into Splunk. I downloaded the file from my website and stuck it in a place where Splunk could find it. I configured a new file-based data source, pointed it at the file, set up a new sourcetype (php_error) and set each line as a separate event. I then set up a field extraction to grab the IP address, and I was done with manipulating the data.<\/p>\n

Next, I set up a search to show brute force attempts. This was the search string:<\/p>\n

index=throwaway “FAILURE” sourcetype=”php_error”\u00a0 | transaction IP maxpause=1h maxevents=5000| where eventcount>1 | table _time, IP, eventcount<\/span><\/p>\n

Step by step: I have this in my throwaway index for now since I am still playing with it. It is searching sourcetype php_error for FAILURE notices. It then groups transactions by IP address, with a maxpause of 1 hour: if the same IP address has multiple events within an hour of each other, I consider that to be part of the same brute force attempt, but any more than that is a separate event. The maximum number of events in any one transaction I override from the default 1,000 to 5,000. I then only include transactions with an eventcount great than 1: a single failed login from an IP is not a brute force attempt. Finally, my results are a table with the time of the event, the IP address, and the count of failed logins:<\/p>\n

\"BruteForceTable\"<\/a><\/p>\n

From there, it\u2019s a simple step to show that in a graph. I have the y-axis set as a log scale to better show the differences:<\/p>\n

\"BruteForceGraph\"<\/a><\/p>\n

Mapping is almost as easy. To get stats that I can put on a map, I slightly tweaked the search string:<\/p>\n

index=throwaway “FAILURE” sourcetype=”php_error” | transaction IP maxpause=1h maxevents=5000 | where eventcount>1 | iplocation IP | geostats latfield=lat longfield=lon sum(eventcount)<\/span><\/p>\n

iplocation<\/span> is the command for Splunk to translate IP addresses into lat\/lon data, and then the\u00a0 geostats<\/span> command creates geo-based statistics based on what we interested in: here the sum of events from particular locations. This is the result:<\/p>\n

\"BruteForceMap\"<\/a><\/p>\n

From there, I can zoom in to get more granular results:<\/p>\n

\"BruteForceMapZoom\"<\/a><\/p>\n

Hovering gets me stats I can drill down into:<\/p>\n

\"BruteForceMapHover\"<\/a><\/p>\n

Finally, I put it all together on a dashboard with a timepicker I can use to customize the time period:<\/p>\n

\"BruteForceDashboard\"<\/a><\/p>\n

That\u2019s it! It took a couple of hours of playing around and learning the syntax; from now on this is going to be easy.<\/p>\n

The only problem I have with this setup is that it is static: I grabbed these files on time to figure out how to do it. Now I have to set up a script to grab the log files on a daily basis to pull them down from my website and get them into Splunk, but once that is up and running I will have updated stats on brute force attempts on a daily basis. Not bad for a morning\u2019s work!<\/p>\n","protected":false},"excerpt":{"rendered":"

As part of my home network setup, I talked a bit about how I set up Splunk and used it for metrics on firewall performance. Splunk is an incredibly powerful tool and can be used for much, much more than that. This weekend I pretty easily set up a cool new dashboard to monitor brute-force… Continue reading Splunk Reporting: Mapping Brute Force Attempts<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[256,252],"class_list":["post-1084","post","type-post","status-publish","format-standard","hentry","category-tech-2","tag-brute-force","tag-splunk","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=1084"}],"version-history":[{"count":2,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1084\/revisions"}],"predecessor-version":[{"id":1086,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1084\/revisions\/1086"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=1084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=1084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=1084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}